Cryptography and Security - Computer Science
Cryptography and Security - Computer Science
Cryptography and Security - Computer Science
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CS4413a – fall 2011<br />
<strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong><br />
LUCIAN ILIE<br />
c○ 2011 by Lucian Ilie
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 2<br />
1 INTRODUCTION<br />
1.1 Why do we need cryptography<br />
“Unfortunately, the technical wizardry enabling remote collaborations is founded on broadcasting<br />
everything as sequences of zeros <strong>and</strong> ones that one’s dog wouldn’t recognize. What is to distinguish<br />
a digital dollar when it is as easily reproducible as the spoken word How do we converse privately<br />
when every syllable is bounced off a satellite <strong>and</strong> smeared over an entire continent How should a<br />
bank know that it really is Bill Gates requesting from his laptop in Fiji a transfer of $10,000,000,000<br />
to another bank<br />
Fortunately, the magical mathematics of cryptography can help. <strong>Cryptography</strong> provides techniques<br />
for keeping information secret, for determining that information has not been tampered with, <strong>and</strong><br />
for determining who authored pieces of information.”<br />
1.2 Goals of cryptography<br />
Ronald Rivest<br />
Foreword to H<strong>and</strong>book of Applied <strong>Cryptography</strong><br />
- fundamental objective – to enable Alice <strong>and</strong> Bob to communicate over an insecure channel such that Oscar<br />
cannot underst<strong>and</strong> what is being said; see Fig. 1.<br />
Adversary<br />
(Oscar)<br />
encryption<br />
(ciphertext)<br />
e (x) = c<br />
K<br />
x<br />
plaintext<br />
source<br />
Alice<br />
c<br />
UNSECURED CHANEL<br />
decryption<br />
d (c) = x<br />
K<br />
x<br />
destination<br />
Bob<br />
Figure 1: Two-party communication using encryption<br />
1. Confidentiality – secrecy of data (historical goal); ensures that the data is not understood by anyone<br />
other than the intended receiver<br />
2. Data Integrity – prevents unauthorized alteration of data; must be able to detect data manipulation<br />
(i.e., insertion, deletion, substitution)<br />
3. Authentication – identification of both parties (the sender <strong>and</strong> the receiver should identify each other)<br />
<strong>and</strong> of information (origin, date of origin, data content, time sent, etc.)<br />
- data origin authentication – verifies the source of data<br />
- entity authentication – verifies the identity of the other party; i.e., ensures that you are not talking to<br />
an impostor<br />
4. Non-repudiation – prevents a party from denying previous actions
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 3<br />
Example 1.1. (i) User A transmits a file to user B. User C, who is not authorized to read it, intercepts the<br />
file during transmission.<br />
(ii) A network manager D sends to a computer E an updated file with user having access to E. User F<br />
intercepts the message <strong>and</strong> adds or deletes entries.<br />
(iii) As in (ii), but F now can create a new file <strong>and</strong> sends it to E which believes the files comes from D.<br />
(iv) A customer C sends a message to a stockbroker D with instructions for various transactions. Subsequently,<br />
the investments lose value <strong>and</strong> the customer denies sending the message.<br />
□<br />
<strong>Cryptography</strong> – the study of mathematical techniques related to aspects of information security such as<br />
confidentiality, data integrity, <strong>and</strong> authentication.<br />
Cryptanalysis – the study of the mathematical techniques for attempting to defeat cryptographic techniques,<br />
<strong>and</strong>, more generally, information security services<br />
Cryptology – the study of cryptography <strong>and</strong> cryptanalysis<br />
1.3 Definitions <strong>and</strong> notations<br />
- plaintext (message) – the (non-encrypted) text of the message<br />
- ciphertext – plaintext encrypted<br />
- cryptosystem (cipher) – (P,C,K,E,D)<br />
P – finite set of plaintexts<br />
C – finite set of ciphertexts<br />
K – finite set of keys<br />
for each K ∈ K:<br />
e K ∈ E, e K : P → C – encryption rule (algorithm)<br />
d K ∈ D, e K : C → P – decryption rule (algorithm)<br />
such that d K (e K (x)) = x, for any plaintext x ∈ P<br />
- sender (Alice)<br />
- receiver (Bob)<br />
- adversary or opponent or attacker (Oscar)<br />
Why keys – only encryption <strong>and</strong> decryption functions are enough<br />
(i) - if some particular transformation revealed – the entire scheme need not be redesigned; just a new key<br />
(ii) - changing keys frequently – sound cryptographic practice<br />
(analogy: resettable combination lock)<br />
- encryption <strong>and</strong> decryption protocols<br />
1. Alice <strong>and</strong> Bob agrees on a r<strong>and</strong>om key K ∈ K<br />
1. Alice has the plaintext x = x 1 x 2 ...x n , x i ∈ P<br />
2. Alice computes the ciphertext y = y 1 y 2 ...y n , where y i = e K (x i )<br />
3. Bob receives y <strong>and</strong> computes x = d K (y 1 )...d K (y n )<br />
Notes:<br />
- the encryption function must be injective<br />
- if P = C, then the encryption function is a permutation<br />
- a fundamental premise in cryptography is that the sets P,C,K are public knowledge<br />
1.4 <strong>Security</strong><br />
<strong>Security</strong> attacks – specifies whether the adversary interferes or not with the information<br />
- passive – the goal is to obtain the information transmitted<br />
- release of message content – e.g., from a telephone conversation, e-mail, transferred files, etc.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 4<br />
- traffic analysis – e.g., location <strong>and</strong> identity of communicating hosts, frequency <strong>and</strong> length of messages,<br />
the nature of messages<br />
- active attacks – involves some modification of the data stream<br />
- masquerade – pretending to be a different entity<br />
- replay – passive capture of a data unit <strong>and</strong> subsequent retransmission<br />
- modification of messages<br />
- denial of service<br />
Passive attacks are difficult to detect but easy to prevent whereas active attacks are easy to detect but<br />
difficult to prevent.<br />
<strong>Security</strong> attacks can also be divided into on-line <strong>and</strong> off-line.<br />
Example 1.2. Trying to find a password has no chance on-line but becomes quite possible off-line.<br />
Types of attacks – specifies the information available to the adversary<br />
- ciphertext-only – the adversary possesses only a string of ciphertext<br />
- known plaintext – the adversary possesses a string of plaintext <strong>and</strong> the corresponding ciphertext<br />
- chosen plaintext – the adversary selects a string of plaintext <strong>and</strong> then obtains the corresponding ciphertext<br />
- chosen ciphertext – the adversaryselects a stringofciphertext <strong>and</strong> then obtainsthe correspondingplaintext<br />
The attacks can also be classified by the approach used into<br />
- cryptanalysis – when the attack relies on the nature of the algorithm plus some information as the ones<br />
above <strong>and</strong><br />
- brute force – when all keys (on average half) are tried until a good one is found; below are some estimates<br />
on the time needed by brute force attacks for various key sizes <strong>and</strong> speeds.<br />
Key size (bits) Number of keys time (1 encryption/µs) time (10 6 encryptions/µs)<br />
32 2 32 ≈ 4.3×10 9 2 31 µ s ≈ 35.8 min ≈ 2.15µs<br />
56 2 56 ≈ 7.2×10 16 2 55 µs ≈ 1142 years ≈ 10.01 hours<br />
128 2 128 ≈ 3.4×10 38 2 127 µs ≈ 5.4×10 24 years ≈ 5.4×10 18 years<br />
168 2 168 ≈ 3.7×10 50 2 167 µs ≈ 5.9×10 36 years ≈ 5.9×10 30 years<br />
26 characters 26! ≈ 4×10 26 ≈ 2×10 26 µs ≈ 6.4×10 12 years ≈ 6.4×10 6 years<br />
It is important to mention that trying a key does not mean only decrypting using that key but also identifying<br />
whether the obtained plaintext is the valid one. For instance, if a r<strong>and</strong>om (meaningless) sequence of bits is<br />
encrypted, then it is impossible to decrypt simply because even after all keys are tried the attacker does not<br />
know which one is the correct plaintext.<br />
Adversarial goal – specifies what it means for the adversary to “break” the system<br />
- complete break – find out the key<br />
- partial break – decrypt some ciphertext (or determine some partial information about the plaintext)<br />
- distinguishability – distinguish between valid ciphertext <strong>and</strong> r<strong>and</strong>om strings<br />
<strong>Security</strong> level – specifies the computational resources available to the adversary<br />
- unconditional security – infinite computational resources<br />
- computational security – measures the amount of computational effort required, by the best currently<br />
known methods, to defeat a system<br />
- provable secure – the difficulty of breaking a system is shown to be essentially as difficult as solving a<br />
well-known (supposedly) difficult problem (usually number-theoretic)<br />
In practice a system is usually called secure if either the cost to break it exceeds the value of the information<br />
obtained or the time required to break it exceeds the lifetime of the information. Also, any attack should take<br />
no less than brute force.<br />
Ciphers<br />
- by types of operations
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 5<br />
- substitutions – each element of the plaintext (bit, letter, group of bits or letters) is mapped into another<br />
element<br />
- transpositions (permutation) – elements of plaintexts are rearranged<br />
- number of keys used<br />
- one for both sender <strong>and</strong> receiver – symmetric encryption (see below)<br />
- two different keys – public-key encryption (see below)<br />
- by the way the plaintext is processed<br />
- block cipher – one block of the input is processed at a time producing one block in the output<br />
- stream cipher – the input is processed continuously producing one element of the output at a time<br />
1.5 Symmetric-key encryption<br />
- for any pair (e K ,d K ), it is computationally easy to determine d K knowing only e K<br />
- both must be secret<br />
- called also secret-key or conventional encryption<br />
- see Fig. 2<br />
Oscar<br />
key<br />
source<br />
e<br />
SECURE CHANEL<br />
e<br />
encryption<br />
(ciphertext)<br />
e (x) = c<br />
K<br />
x<br />
plaintext<br />
source<br />
Alice<br />
c<br />
UNSECURED CHANEL<br />
decryption<br />
d (c) = x<br />
K<br />
x<br />
destination<br />
Bob<br />
Figure 2: Two-party communication using encryption <strong>and</strong> a secure channel for key exchange<br />
Key distribution problem – finding an efficient method to agree upon <strong>and</strong> exchange keys securely<br />
1.6 Public-key encryption<br />
- for any pair (e K ,d K ), it is computationally infeasible to determine d K knowing e K<br />
- e K can be made public<br />
- anyone can encrypt<br />
- only Bob can decrypt<br />
- see Fig. 3<br />
(analogy: box with a resettable combination lock)<br />
The encryption function is trapdoor one-way function<br />
- one-way – y = f(x) is easy to compute but f −1 (y) is computationally infeasible<br />
- trapdoor one-way – a one-way function with the property that given some additional information<br />
(trapdoor information) it becomes feasible to compute f −1 (y)
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 6<br />
Oscar<br />
e<br />
UNSECURED CHANEL<br />
key<br />
source<br />
encryption<br />
(ciphertext)<br />
e (x) = c<br />
K<br />
x<br />
plaintext<br />
source<br />
Alice<br />
c<br />
UNSECURED CHANEL<br />
decryption<br />
d (c) = x<br />
K<br />
d<br />
x<br />
destination<br />
Bob<br />
Figure 3: Encryption using public-key techniques<br />
Example 1.3. A very intuitive example of a trapdoor one-way function is the following. Assume we take the<br />
phone book of a large city, say Toronto, <strong>and</strong> produce another book which has the same entries but sorted by<br />
phone numbers instead of names. The one-way function, f, associates with each name the corresponding phone<br />
number. It is very easy to compute f; just look into the phone book. But if you want to compute the inverse<br />
of f, that is very difficult; given a phone number, one has to read all entries in the phone book until the person<br />
having that phone number is found. The trapdoor is the book ordered by phone numbers. Having it makes<br />
computing f −1 as easy as computing f.<br />
□<br />
Example 1.4. One-way function - discrete logarithm problem<br />
f : {1,2,...,16} → {1,2,...,16}<br />
f(x) = 3 x mod 17<br />
f(x) is relatively easy to compute<br />
f −1 (7) = (answer: 11)<br />
□<br />
Example 1.5. One-way function – integer factorization problem<br />
- multiplication of two integers is easy<br />
- what are the factors of 2624653723 (answer: 48611 <strong>and</strong> 53993) □<br />
Example 1.6. Trapdoor one-way function<br />
(i) Subset-sum problem - NP-complete<br />
- given (s 1 ,s 2 ,...,s n ,T) positive integers<br />
- find (if any) x = (x 1 ,x 2 ,...,x n ) binary vector such that<br />
n∑<br />
x i s i = T<br />
i=1<br />
(ii) Subset-sum problem for superincreasing vectors - easy<br />
(s 1 ,s 2 ,...,s n ) is superincreasing if s j > ∑ j−1<br />
i=1 s i, 2 ≤ j ≤ n<br />
(iii) Trapdoor version – we have a superincreasing vector <strong>and</strong> transform it such that it looks ordinary<br />
- choose a prime modulus p > ∑ n<br />
i=1 s i <strong>and</strong> a multiplier 1 ≤ a ≤ p−1<br />
- put t i = as i mod p; t = (t 1 ,t 2 ,...,t n ) looks ordinary
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 7<br />
y = e K (x 1 ,...,x n ) =<br />
n∑<br />
x i t i<br />
trapdoor: s, p <strong>and</strong> a – knowing them Bob can decrypt easily (superincreasing vector)<br />
- Bob computes z = a −1 y mod p<br />
<strong>and</strong> solves the (easy) problem (s 1 ,...,s n ,z)<br />
i=1<br />
□
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 8<br />
2 SEVERAL CLASSICAL SYSTEMS<br />
2.1 Modular arithmetic<br />
a,b,m ∈ Z (integers), m > 0<br />
a ≡ b (mod m) iff m divides b−a (m is called modulus)<br />
a = q 1 m+r 1 , b = q 2 m+r 2 (q 1 <strong>and</strong> 0 ≤ r 1 ≤ m−1 are unique)<br />
a mod m = r 1 is the remainder of a divided by m (q 1 is the quotient)<br />
a ≡ b (mod m) iff r 1 = r 2<br />
a mod m means that a is reduced modulo m<br />
Arithmetic modulo m<br />
Z m = {0,1,2,...,m−1}<br />
operations: + <strong>and</strong> ×; done like in Z with the result reduced modulo m<br />
example: 11×13 = 15 in Z 16<br />
rules of modular arithmetic: (Z m ,+,×) is a commutative ring<br />
addition: closed, commutative, associative, (additive) identity: 0; (additive) inverse: −a<br />
multiplication: closed, commutative, associative, (multiplicative) identity: 1<br />
distributivity of multiplication over addition<br />
2.2 The shift cipher<br />
We shall use Z 26 since there are 26 letters in English<br />
- the correspondence is<br />
A B C D E F G H I J K L M<br />
0 1 2 3 4 5 6 7 8 9 10 11 12<br />
N O P Q R S T U V W X Y Z<br />
13 14 15 16 17 18 19 20 21 22 23 24 25<br />
The shift cipher is called monoalphabetic since each letter is always mapped to the same letter.<br />
The Shift Cipher<br />
P = C = K = Z 26<br />
encryption: e K (x) = x+K mod 26<br />
decryption: d K (y) = y −K mod 26<br />
Example 2.1. Here we have K = 11:<br />
x = wewillmeetatmidnight<br />
e 11 (x) = HPHTWWXPPELEXTOYTRSE<br />
□<br />
Cryptanalysis (ciphertext only)<br />
– the Shift Cipher can be easily broken by exhaustive key search – only 26 keys<br />
2.3 The substitution cipher<br />
The Substitution Cipher<br />
P = C = Z 26 (or the English alphabet)
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 9<br />
K = {π | π is a permutation of Z 26 }<br />
encryption: e π (x) = π(x)<br />
decryption: d π (y) = π −1 y<br />
- monoalphabetic cipher<br />
Example 2.2. Consider the permutation<br />
( )<br />
a b c d e f g h i j k l m n o p q r s t u v w x y z<br />
π =<br />
X N Y A H P O G Z Q W B T S F L R C V M U E K J D I<br />
We have then<br />
x = thisciphertextcannotbedecripted<br />
e π (x) = MGZVYZLGHCMHJMYXSSFMNHAHYCDLMHA<br />
Cryptanalysis (ciphertext only)<br />
- exhaustive key search is infeasible since there are 26! keys<br />
- can be decrypted using frequency analysis (long enough messages)<br />
□<br />
2.4 The affine cipher<br />
Congruences<br />
1. the congruence mod m is an equivalence relation<br />
2. If a ≡ b mod m <strong>and</strong> c ≡ d mod m, then a±c ≡ b±d mod m<br />
3. If a ≡ b mod m <strong>and</strong> d | m, then a ≡ b mod d<br />
4. If a ≡ b mod m <strong>and</strong> a ≡ b mod n with gcd(m,n) = 1, then a ≡ b mod mn (m,n are called relatively<br />
prime )<br />
- multiplicative inverse of a is a −1 such that aa −1 ≡ a −1 a ≡ 1 (mod m)<br />
Theorem 2.3. The congruence ax ≡ b mod m has aunique solution x ∈ Z m for every b ∈ Z m iff gcd(a,m) = 1.<br />
Proof. If gcd(a,m) = 1 <strong>and</strong> ax 1 ≡ ax 2 mod m, then m | a(x 1 −x 2 ). We must have then x 1 = x 2 . Thus,<br />
for every b, the congruence has at most one solution. Therefore, it has exactly one.<br />
If d = gcd(a,m) ≥ 2, then ax ≡ 1 mod m implies d | ax−1 <strong>and</strong> so d | 1, a contradiction. □
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 10<br />
Corollary 2.4. a ∈ Z m has a multiplicative inverse iff gcd(a,m) = 1.<br />
- field – a ring in which every non-zero element has an inverse<br />
- if m is prime, then Z m is a commutative field<br />
Euler’s phi-function φ(m) gives the number of integers in Z m that are relatively prime with m<br />
Theorem 2.5. If m =<br />
φ(m) =<br />
n∏<br />
(p ei<br />
i −p ei−1<br />
i=1<br />
i ).<br />
The Affine Cipher<br />
n∏<br />
i=1<br />
P = C = Z 26<br />
K = {(a,b) ∈ Z 26 ×Z 26 | gcd(a,26) = 1}<br />
encryption: e (a,b) (x) = ax+b mod 26<br />
decryption: d (a,b) (y) = a −1 (y −b) mod 26<br />
- monoalphabetic cipher<br />
p ei<br />
i , p i distinct primes <strong>and</strong> e i ≥ 1, then<br />
Cryptanalysis (ciphertext only)<br />
- number of keys is mφ(m); e.g., for m = 60, there are 960 keys<br />
- can be decrypted using frequency analysis; we guess two letters, compute a <strong>and</strong> b <strong>and</strong> then test whether<br />
the guess was correct<br />
Example 2.6. Assume the ciphertext<br />
FMXVEDKAPHFERBNDFRXRSREFMORUDSDKDVSHVUFEDKAPRKDLYEVLRHHRH<br />
Most frequent letters: R (8), D (7), E, H, K (5), <strong>and</strong> F, S, V (4).<br />
- e encrypted as R <strong>and</strong> t as D give a = 6, illegal<br />
- e encrypted as R <strong>and</strong> t as E give a = 13, illegal<br />
- e encrypted as R <strong>and</strong> t as H give a = 8, illegal<br />
- e encrypted as R <strong>and</strong> t as K give a = 3, legal; b = 5, d K (y) = 9y −19 which gives meaningful message, so<br />
the key must be correct<br />
2.5 The Vigenère cipher<br />
algorithmsarequitegeneraldefinitionsofarithmeticprocesses<br />
□<br />
The Vigenère Cipher<br />
P = C = K = (Z 26 ) m<br />
encryption (key K = (k 1 ,...,k m )):<br />
e K (x 1 ,...,x m ) = (x 1 +k 1 mod 26,...,x m +k m mod 26)<br />
decryption: d K (y 1 ,...,y m ) = (y 1 −k 1 mod 26,...,y m −k m mod 26)<br />
The Vigenère cipher is not monoalphabetic since the same letter can be mapped to several different letters.<br />
It is called polyalphabetic. Frequency analysis does not work here! At least as done so far.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 11<br />
Example 2.7. K = Cipher, m = 6<br />
thiscryptosystemisnotsecure<br />
CIPHERCIPHERCIPHERCIPHERCIP<br />
VPXZGIAXIVWPUBTTMJPWIZITWZT<br />
□<br />
Figure 4: Vigenère square<br />
Cryptanalysis (ciphertext only)<br />
- number of keys: 26 m – too large<br />
- frequency of letters is not relevant<br />
- considered unbreakable for long time until Kasiski<br />
Kasiski’s method<br />
- find first the length of the key<br />
- key observation: identical segments of the plaintext which are at distance divisible by m will be encrypted<br />
the same way<br />
- find several pairs of identical segments in the ciphertext<br />
- the greatest common divisor will give (with a high probability) m<br />
- use frequency analysis for each class of letters encrypted the same way<br />
2.6 The Hill cipher<br />
The Hill Cipher<br />
P = C = (Z 26 ) m<br />
K = {K | K is an m×m invertible matrix over Z 26 }<br />
encryption: e K (x) = xK all operations in Z 26<br />
decryption: d K (y) = yK −1 all operations in Z 26<br />
- polyalphabetic system<br />
Example 2.8.<br />
K =<br />
(<br />
11 8<br />
3 7<br />
)<br />
K −1 =<br />
(<br />
7 18<br />
23 11<br />
)
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 12<br />
x = july = ((9,20),(11,24)), y = ((3,4),(11,22)) = DELW<br />
□<br />
Cryptanalysis (known or chosen plaintext)<br />
-Oscarknows(chooses)mplaintextsx i ∈ (Z 26 ) m <strong>and</strong>(findsout)thecorrespondingciphertextsy i , 1 ≤ i ≤ m<br />
- consider the matrices X,Y ∈ (Z 26 ) m×m having the rows x i ’s <strong>and</strong> y i ’s<br />
- the equation Y = XK gives the key K = X −1 Y (assuming X is invertible; if chosen plaintext, then Oscar<br />
will make sure of that)<br />
Example 2.9. Assume m = 2 <strong>and</strong> the plaintext friday is encrypted as PQCFKU, i.e., e K (5,17) = (15,16),<br />
e K (8,3) = (2,5), e K (0,24) = (10,20). From the first two:<br />
( ) ( )<br />
15 16 5 17<br />
= K<br />
2 5 8 3<br />
<strong>and</strong> so<br />
K =<br />
( 5 17<br />
8 3<br />
) −1 ( 15 16<br />
2 5<br />
)<br />
=<br />
( 9 1<br />
2 15<br />
)( 15 16<br />
2 5<br />
)<br />
=<br />
( 7 19<br />
8 3<br />
)<br />
This can be verified by the third pair.<br />
□<br />
2.7 The permutation cipher<br />
Known also as transposition cipher.<br />
The Permutation Cipher<br />
P = C = (Z 26 ) m<br />
K = {π | π is a permutation of {1,2,...,m}}<br />
encryption: e π (x 1 ,...,x m ) = (x π(1) ,...,x π(m) ).<br />
decryption: d π (y 1 ,...,y m ) = (y π −1 (1),...,y π −1 (m))<br />
- polyalphabetic system<br />
Example 2.10. Suppose m = 6 <strong>and</strong> π = ( )<br />
1 2 3 4 5 6<br />
3 5 1 6 4 2 The inverse of π is π −1 = ( 1 2 3 4 5 6<br />
3 6 1 5 2 4)<br />
We can then use<br />
π for encryption as below:<br />
shesel lsseas hellsb ythese ashore<br />
EESLSH SALSES LSHBLE HSYEET HRAEOS<br />
We show next that the permutation cipher is a particular case of Hill cipher. Given π we construct the<br />
matrix K π = (kij) by<br />
{<br />
1 if i = π(j)<br />
k ij =<br />
0 otherwise<br />
(K π is a permutation matrix.) It is easy to see that encrypting using π in the permutation cipher is the same<br />
same as encrypting using K π in Hill cipher. Moreover, Kπ −1 = K π −1.<br />
For the example above, we have<br />
⎛ ⎞ ⎛ ⎞<br />
0 0 1 0 0 0 0 0 1 0 0 0<br />
0 0 0 0 0 1<br />
0 0 0 0 1 0<br />
K π =<br />
1 0 0 0 0 0<br />
⎜ 0 0 0 0 1 0<br />
Kπ −1 =<br />
1 0 0 0 0 0<br />
⎟ ⎜ 0 0 0 0 0 1<br />
⎟<br />
⎝ 0 1 0 0 0 0 ⎠ ⎝ 0 0 0 1 0 0 ⎠<br />
0 0 0 1 0 0 0 1 0 0 0 0<br />
□
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 13<br />
2.8 Stream ciphers<br />
- block ciphers – plaintext elements encrypted using the same key<br />
- stream ciphers – keystream z = z 1 z 2 ...<br />
y = y 1 y 2 ... = e K (x 1 )e K (x 2 )...<br />
y = y 1 y 2 ... = e z1 (x 1 )e z2 (x 2 )...<br />
- z i depends on the key K <strong>and</strong> the previous plaintexts<br />
- synchronous – independent of the plaintexts (a generator takes K as input <strong>and</strong> produces the key stream)<br />
- non-synchronous – dependent of previous plaintext or ciphertext.<br />
- periodic – the keystream is periodic<br />
Example 2.11. Vigenère cipher is a periodic synchronous stream cipher with period the length of the key □<br />
- assume P = C = L = Z 2 , L is the keystream alphabet<br />
m−1<br />
∑<br />
- linear z i+m = c j z i+j mod 2, c j ∈ Z 2 are fixed constants<br />
j=0<br />
K = (k 1 ,k 2 ,...,k m ,c 0 ,...,c m−1 )<br />
- the keystream is obviously periodic<br />
-if(c 0 ,...,c m−1 ) aresuitablychosen, then any(k 1 ,...,k m ) ≠ (0,...,0)willgiveriseto aperiodickeystream<br />
with (maximum) period 2 m − 1 which is desirable (Vigenère was cryptanalyzed using the fact it has a short<br />
period)<br />
Example 2.12. Take m = 4 <strong>and</strong> z i+4 = z i +z i+1 mod 2. If the initial vector is different from (0,0,0,0) then<br />
we get a keystream with period 15: E.g.:<br />
1,0,0,0,1,0,0,1,1,0,1,0,1,1,1,1,...<br />
Such a linear (synchronous) stream cipher can be efficiently implementated in hardware using a linear<br />
feedback shift register (LFSR).<br />
- k 1 - the next keystream bit<br />
- k 2 ,...,k m shift left<br />
- k m becomes ∑ m−1<br />
j=0 c jk j+1 (linear feedback)<br />
An example of a LFSR is given in Fig. 5. It generates the keystream of Example 2.12.<br />
□<br />
+<br />
k k<br />
1<br />
2 k 3<br />
k 4<br />
Figure 5: A LFSR<br />
Cryptanalysis of LFSR<br />
All operations are linear so it is vulnerable to a known-(chosen-)plaintext attack.<br />
A simple example of a non-synchronous stream cipher is the Autokey cipher.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 14<br />
The Autokey Cipher<br />
P = C = K = L = Z 26<br />
z 1 = K <strong>and</strong> z i = x i−1 , for i ≥ 2<br />
encryption: e z (x) = (x+z) mod 26<br />
decryption: d z (y) = (y −z) mod 26<br />
Example 2.13. Suppose K = 8, we have the following encryption:<br />
2.9 One-time pad<br />
rendezvous<br />
irendezvou<br />
ZVRQHDUJIM<br />
Notice that the autokey cipher is a modified Vigenère cipher where the key is the plaintext itself shifted by a<br />
fixed amount. Vigenère was possible to break by finding the length of the key. In autokey the key has the same<br />
length as the plaintext. Still, because it is related to the plaintext statistical techniques can be still applied.<br />
Ideally, the key should be of the same length as the plaintext but completely unrelated. This is done in the<br />
One-time pad cipher.<br />
One-time Pad<br />
n ≥ 1, P = C = K = (Z 2 ) n<br />
encryption: e K (x) = (x 1 +K 1 ,...,x n +K n ) mod 2<br />
decryption: d K (y) = (y 1 +K 1 ,...,y n +K n ) mod 2<br />
□<br />
- advantage: Theorem 3.6 implies that One-time Pad is perfectly secure<br />
- disadvantages:<br />
- the key (which has to be securely communicated) is as least as big as the plaintext<br />
- each key can be used only once<br />
- vulnerable against know-plaintext attack<br />
- severe key management problems; not commercially used but diplomatically <strong>and</strong> military<br />
- much used for the Moscow-Washington hot-line<br />
- much used by the Russian agents operating in foreign countries<br />
Invented in 1918 (by Vernam), it was thought to be unbreakable for many years (intuitively!) until Shannon<br />
proved it unbreakable only in 1949. (See next chapter for proof.) The idea behind this is that, due to independence<br />
of the key, the ciphertext can be decrypted into anything! See the example below; notice that we work<br />
over Z 27 .<br />
Example 2.14.<br />
ANKYODKYUREPFJBYOJDSPLREYIUNOFDOIUERFPLUYTS<br />
pxlmvmsydoftyrvzwc tnlebnecvgdupahfzzlmnyih<br />
mr mustard with the c<strong>and</strong>lestick in the hall<br />
ANKYODKYUREPFJBYOJDSPLREYIUNOFDOIUERFPLUYTS<br />
pftgpmaydgaxgoufhklllmhsqdqogtewbqfgyovuhwt<br />
miss scarlet with the knife in the library<br />
□
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 15<br />
3 PERFECT SECRECY<br />
3.1 Probability theory<br />
- recall that unconditional security assumes the cryptanalyst has infinite computational resources<br />
- we need probabilities to study unconditional security<br />
notations<br />
- X <strong>and</strong> Y discrete r<strong>and</strong>om variables<br />
- Prob(x) = Prob(X = x) – the probability that X takes value x<br />
- Prob(y) = Prob(Y = y) – the probability that Y takes value y<br />
- Prob(x,y) – joint probability – the probability that X takes value x <strong>and</strong> Y takes value y<br />
- Prob(x|y) – conditional probability – the probability that X takes value x given that Y takes value y<br />
- X <strong>and</strong> Y are independent if Prob(x,y) = Prob(x)Prob(y), for all x,y<br />
- Prob(x,y) = Prob(x|y)Prob(y) = Prob(y|x)Prob(x)<br />
Theorem 3.1 (Bayes’ Theorem). If Prob(y) > 0, then Prob(x|y) = Prob(y|x)Prob(x) .<br />
Prob(y)<br />
Corollary 3.2. X <strong>and</strong> Y are independent iff Prob(x|y) = Prob(x), for all x,y.<br />
Example 3.3. Consider a r<strong>and</strong>om throw of a pair of dice. Let X be a r<strong>and</strong>om variable for the sum of the two<br />
dice <strong>and</strong> Y which takes the value D if the two dice are the same <strong>and</strong> N otherwise. The probability distributions<br />
for X <strong>and</strong> Y are shown below:<br />
x 2 3 4 5 6 7 8 9 10 11 12<br />
Prob(X = x) 1/36 2/36 3/36 4/36 5/36 6/36 5/36 4/36 3/36 2/36 1/36<br />
Two conditional probabilities are computed below:<br />
y D N<br />
Prob(Y = y) 6/36 30/36<br />
Prob(D|4)(= Prob(Y = D|X = 4)) = 1/3 Prob(4|D)(= Prob(X = 4|Y = D)) = 1/6<br />
<strong>and</strong> so<br />
Prob(4,D) = 1/36 = Prob(D|4)Prob(4) = Prob(4|D)Prob(D)<br />
□<br />
3.2 Perfect secrecy<br />
notations – assume a cryptosystem (P,C,K,E,D)<br />
- Prob(x = x) – the (a priori) probability that the plaintext is x<br />
- Prob(K = K) – the probability that key K is chosen<br />
assumption: K <strong>and</strong> x are independent r<strong>and</strong>om variables<br />
- Prob(y = y) – the probability that the ciphertext is y<br />
- C(K) = {e K (x) | x ∈ P} – all ciphertexts obtained using K<br />
We have<br />
∑<br />
Prob(y = y) = Prob(K = K)Prob(x = d K (y))<br />
Also<br />
{K|y∈C(K)}<br />
Prob(y = y|x = x) =<br />
∑<br />
{K|x=d K(y)}<br />
Prob(K = K)
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 16<br />
We can now use Bayes’ theorem to compute the probability of a plaintext conditioned by a given ciphertext as<br />
∑<br />
Prob(x = x) Prob(K = K)<br />
Prob(x = x|y = y) = ∑<br />
{K|y∈C(K)}<br />
{K|x=d K(y)}<br />
Prob(K = K)Prob(x = d K (y))<br />
Example 3.4. Consider a cipher with P = {a,b}, C = {1,2,3,4}, K = {K 1 ,K 2 ,K 3 } with the distributions<br />
x a b<br />
Prob(x = x) 1/4 3/4<br />
K K 1 K 2 K 3<br />
Prob(K = K) 1/2 1/4 1/4<br />
<strong>and</strong> the encryption mapping<br />
We can compute then the following probabilities<br />
e a b<br />
K 1 1 2<br />
K 2 2 3<br />
K 3 3 4<br />
y 1 2 3 4<br />
Prob(y = y) 1/8 7/16 1/4 3/16<br />
Prob(x = x|y = y) 1 2 3 4<br />
a 1 1/7 1/4 0<br />
b 0 6/7 3/4 1<br />
Prob(y = y|x = x) a b<br />
1 1/2 0<br />
2 1/4 1/2<br />
3 1/4 1/4<br />
4 0 1/4<br />
□<br />
A cryptosystem has perfect secrecy if Prob(x = x|y = y) = Prob(x = x), for all x,y, that is, the<br />
(a posteriori) probability that the plaintext is x given y as ciphertext is always the same as the (a priori)<br />
probability that the plaintext is x. Put otherwise, y gives no information about x.<br />
Notice that this is equivalent, by Bayes’ theorem, to Prob(y = y|x = x) = Prob(y = y), for all x,y,<br />
Theorem 3.5. Assume the Shift Cipher such that each character is encrypted using a new r<strong>and</strong>om equally<br />
probable key (of probability 1/26). Then, for any plaintext distribution, the Shift Cipher has perfect secrecy.<br />
Proof. Recall that P = C = K = Z 26 <strong>and</strong> e K (x) = x+K mod 26. For any ciphertext y, we have<br />
Prob(y = y) = ∑<br />
Prob(K = K)Prob(x = d K (y))<br />
K∈Z 26<br />
= ∑ 1<br />
Prob(x = y −K)<br />
26<br />
K∈Z 26<br />
= 1 ∑<br />
Prob(x = y −K)<br />
26<br />
K∈Z 26<br />
= 1 ∑<br />
Prob(x = y)<br />
26<br />
y∈Z 26<br />
= 1<br />
26 .
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 17<br />
We have also<br />
Prob(y = y|x = x) = Prob(K = y −x mod 26) = 1<br />
26<br />
<strong>and</strong> so the Shift Cipher (with a new r<strong>and</strong>om equally probably key for each letter) has perfect secrecy. □<br />
Assume, for any y, Prob(y = y) > 0 (otherwise we can remove y from C). For a fixed x ∈ P, if the<br />
cryptosystem has perfect secrecy, we have Prob(y = y|x = x) = Prob(y = y) > 0. Thus, there must be K ∈ K<br />
such that e K (x) = y. It follows that |K| ≥ |C|. Encryption is injective, so also |C| ≥ |P|.<br />
Theorem 3.6 (Shannon). If |P| = |C| = |K|, then the cryptosystem has perfect secrecy iff<br />
(i) all keys are used with the same probability<br />
(ii) for every x ∈ P <strong>and</strong> y ∈ C, there is a unique K ∈ K such that e K (x) = y.<br />
Proof. Assume first the cryptosystem perfectly secure.<br />
(ii) We showed above that, for any x ∈ P, y ∈ C, there is at least one key K ∈ K such that e K (x) = y. But<br />
|K| = |C|, which gives that there is exactly one such key.<br />
(i) Fix y ∈ C <strong>and</strong> put P = {x 1 ,...,x n }. We can denote the keys by {K 1 ,...,K n } such that e Ki (x i ) = y,<br />
1 ≤ i ≤ |P|. We have then, using perfect secrecy, Prob(K = K i ) = Prob(y = y|x = x i ) = Prob(y = y), for all<br />
i. This means all keys are used with the same probability Prob(y).<br />
The converse implication is proved as Theorem 3.5.<br />
□<br />
Corollary 3.7. One-time pad is perfectly secure.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 18<br />
4 DATA ENCRYPTION STANDARD<br />
DES is the most widely used cryptosystem. It encrypts blocks of 64 bits (into output blocks of 64 bits) using a<br />
56-bit key.<br />
4.1 History<br />
- 1960s – IBM’s Feistel designed Lucifer – Feistel block cipher which operates on blocks of 64 bits using a<br />
128-bit key<br />
- 1973 – NBS issued a request for proposals for a national cipher st<strong>and</strong>ard<br />
- an improved Lucifer (by IBM <strong>and</strong> NSA) was submitted – 56-bit key (required by NSA) – this was DES<br />
- much criticism<br />
- key too short for a brute force attack<br />
- design criteria for the S-boxes were not public<br />
- 1994 - NIST recommended DES for applications other than protection of classified information<br />
- 1999 - NIST recommended only triple DES (two or three DES keys)<br />
4.2 Feistel ciphers<br />
The methods for breaking cipher we presented were based on statistical analysis. Monoalphabetic system were<br />
easy to break because statistics worked very well at the level of letter. Polyalphabetic ones were also possible<br />
to break because we could still use statistics. In Fig. 2.6 we can see how the frequency of letters changes from<br />
plaintexts to ciphertexts encrypted using various cryptosystems. Except for a r<strong>and</strong>om polyalphabetic cipher,<br />
any of the others still had some information left in the ciphertext about the plaintext. Ideally, no information<br />
about the plaintext or key should be revealed by the ciphertext. This is done in the one-time pad cipher but<br />
then the length of the key is impracticable. To<br />
achieve a similar effect (hopefully!) with a much<br />
smaller key, we use block ciphers (which, as we shall<br />
see, can be used to simulate stream ciphers, so are<br />
more general) with repeated stages. The essential<br />
idea goes back to Feistel-type ciphers.<br />
In principle, we could use a mapping which maps<br />
blocks of n bits into blocks of n bits. But then the<br />
size of the key would be proportional to 2 n which<br />
would make it unpractical. To thwart statistical attack,<br />
blocks of 64 bits should be used, which would<br />
make the key size approximately 10 19 . therefore, we<br />
need another way to achieve similar effects. We are<br />
back to Feistel’s idea which we describe in this section.<br />
Before that, we discuss little bit about two basic principles for preventing statistical cryptanalysis: diffusion<br />
<strong>and</strong> confusion, suggested by Shannon. Diffusion means that the statistical structure of the plaintext should<br />
be dissipated into long range statistics of the ciphertext. For instance, each bit of the plaintext should affect<br />
the value of many ciphertext bits or, equivalently, each bit of the ciphertext is affected by many bits of the<br />
plaintext. So diffusion tries to make the statistical relation between plaintext <strong>and</strong> ciphertext as complex as<br />
possible. Diffusion is achieved by repeated permutation.<br />
Confusion tries to make the relationship between the statistics of the ciphertext <strong>and</strong> the key as complex as<br />
possible. Confusion is achieved by complex substitutions.<br />
The basic structure of a Feistel cipher is depicted in Fig. 3.5. It is a particular form of the substitutionpermutation<br />
network proposed by Shannon. We have a number of rounds consisting of<br />
- a substitution on the left half of data; a round function F is applied to the right half <strong>and</strong> the result is xored<br />
with the left half; in each round F depends on some subkey K i<br />
- a permutation; the two halfs are interchanged
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 19<br />
The important parameters of a Feistel cipher are:<br />
- block size – the larger the better; 64 is good enough; AES uses 128<br />
- key size – larger increases security but lowers speed; 64 is no longer good; 128 is common size<br />
- number of rounds – essential against more advanced attacks; typical size is 16<br />
- subkey generation algorithm – complex<br />
- round function – complex<br />
The encryption <strong>and</strong> decryption algorithms are basically the same with the difference that the subkeys for<br />
the decryption algorithm will be used in the reversed order; see Fig. 3.6.<br />
We show next that the decryption works as intended. With the notations in Fig. 3.6 we have, for all i,<br />
LE i = RE i−1<br />
RE i = LE i−1 ⊕F(RE i−1 ,K i )<br />
LD i = RD i−1<br />
RD i = LD i−1 ⊕F(RD i−1 ,K 17−i )<br />
We show by induction on i that<br />
LD i = RE 16−i<br />
RD i = LE 16−i<br />
In particular, for i = 16 we get that decryption gives back the plaintext. The equalities hold for i = 0. We<br />
assume they hold for i ad prove them for i+1. We use the facts that ⊕ is associative, has 0 as identity, <strong>and</strong><br />
each element is its own inverse (x⊕x = 0). We have<br />
LD i+1 = RD i = LE 16−i = RE 16−(i+1)<br />
<strong>and</strong><br />
RD i+1 = LD i ⊕F(RD i ,K 16−i )<br />
= RE 16−i ⊕F(LE 16−i ,K 16−i )<br />
= LE 15−i ⊕F(RE 15−i ,K 16−i )⊕F(RE 15−i ,K 16−i )<br />
= LE 16−(i+1)
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 20<br />
It is very important to notice that we did not assume anything on the function F. In particular, it need not be<br />
reversible.<br />
4.3 Description of DES<br />
The overall DES encryption algorithm is shown in Fig. 3.7. It encrypts 64-bit plaintext blocks using a 56-bit<br />
key. The details of each round are shown in Fig. 3.8 <strong>and</strong> the computation of F is shown in Fig. 3.9.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 21<br />
4.4 Analysis of DES<br />
Two points were criticized:<br />
-S-boxes; asthe onlynonlinearpart, they arevitalto security. It wassuggestedthat they containtrapdoors<br />
which would allow NSA to decrypt. The evidence so far shows that the S-boxes were built to resist certain<br />
advanced attacks, such as differential cryptanalysis which was known to NSA 20 yearsbefore Biham <strong>and</strong> Shamir<br />
rediscovered it in 1991. As we shall see later, a differential cryptanalysis attack on (16 round) DES requires<br />
2 55.1 operations compared to 2 55 needed by brute force attack. If DES had fewer rounds, then differential<br />
cryptanalysis would require less effort than brute force attack.<br />
- key size; the original Lucifer had 128; the proposed DES had 64 which was reduced to 56 to include 8<br />
parity check bits.<br />
- 1977 – Diffie <strong>and</strong> Hellman estimated to $20,000,000 a machine to break DES in one day<br />
- 1993 – Wiener estimated to $100,000 a machine to break DES in 1.5 days<br />
- 1998 – a $250,000 machine was built by the Electronic Frontier Foundation <strong>and</strong> broke DES in 56 hours.<br />
- 1999 – a worldwide net broke DES in 22h 15min<br />
We mention further that linear cryptanalysis is more efficient than differential cryptanalysis – DES was<br />
broken using 2 43 plaintext-ciphertext pairs. (Of course, in practice such an attempt is not likely to succeed due<br />
to the huge number of pairs required.)<br />
4.5 Modes of operation<br />
- electronic codebook mode (ECB) (Fig. 3.11)<br />
- for a given key, there is a unique ciphertext for every 64-bit input<br />
- good for short messages, such as a DES key<br />
- not good for long messages due to its regularity<br />
- cipher block chaining mode (CBC) (Fig. 3.12)<br />
- the same block of plaintext will produce a different ciphertext<br />
- an initial vector IV is used for the first ciphertext block; IV must be secretly known by both parties; it can<br />
be sent using ECB<br />
- if IV is revealed, then problems might appear; for instance, C 1 = E k (IV ⊕P 1 ) implies P 1 = IV ⊕D k (C 1 )<br />
<strong>and</strong> so corresponding bits of P 1 <strong>and</strong> IV can be simultaneously complemented.<br />
- cipher feedback mode (CFB) (Fig. 3.13)<br />
- this is a stream cipher<br />
- ciphertext fed back to the shift register
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 22<br />
- plaintext divided into blocks of s bits<br />
- operates in real time<br />
- good for authentication<br />
- notice the use of encryption function only
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 23<br />
- output feedback mode (OFB) (Fig. 3.14)<br />
- similar; the output of the encryption is fed back to register – bit errors in transmission do not propagate<br />
(used for satellite transmissions)<br />
- more vulnerable to message stream modification attack than CFB<br />
- counter mode (CTR) (Fig. 3.15)<br />
- most recent<br />
- a counter is used; must be different for each encrypted block; usually the counter in incremented by 1 mod<br />
block size<br />
- advantages<br />
- hardware <strong>and</strong> software efficiency – can be done in parallel<br />
- preprocessing possible<br />
- r<strong>and</strong>om access in ciphertext possible<br />
- does not require the decryption function implemented<br />
4.6 Triple DES<br />
DES is no longer safe. We can build new ciphers or try to use DES in a safe way.<br />
- double DES uses two DES keys; see Fig. 6.1. We have<br />
C = E K2 (E K1 (P))<br />
P = D K1 (D K2 (C)).<br />
It is very likely that the double DES cannot be simulated by a single DES, that is, it produces a different<br />
mapping. So, we should have an increase to a key of 112 bits.<br />
- man-in-the-middle attack<br />
- we have E K1 (P) = D K2 (C)<br />
- so, given a pair (P,C) we encrypt P using all possible 2 56 values for K 1 <strong>and</strong> store those in a table<br />
- then decrypt C using all possible 2 56 for K 2 <strong>and</strong> match those against the ones in the table<br />
- when a match occurs, test the pair of keys against a different pair plaintext-ciphertext
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 24<br />
- each plaintext is encrypted by double DES in one of 2 64 possible ciphertexts; since there 2 112 keys, on<br />
average a plaintext P is encrypted to a ciphertext C by 2 48 keys<br />
- so, for the first pair a match will produce a false alarm with probability 1−2 −48<br />
- a false alarm for both pairs will be produced with very small probability: 2 −16 = 2 48−64 .<br />
- so double DES is not much more secure than DES<br />
- triple DES (3DES) performs three stages of encryption using two keys; see Fig. 6.1. We have<br />
C = E K1 (D K2 (E K1 (P)))<br />
P = D K1 (E K2 (D K1 (C)))<br />
The only use of the decryption in the middle is to allow users of 3DES to decrypt single DES<br />
- no known effective attacks<br />
- one can use also 3DES with three keys<br />
C = E K (P) = E K (D K (E K (P))).
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 25<br />
5 LINEAR AND DIFFERENTIAL CRYPTANALYSIS<br />
These are the most powerful attacks against symmetric block ciphers. In this section we describe the two<br />
attacks. They are very complex <strong>and</strong> we shall describe them on a simple model called substitution-permutation<br />
network.<br />
5.1 Iterated ciphers<br />
A common used design in most modern-day block ciphers is that of an iterated cipher.<br />
An iterated cipher consists of a round function <strong>and</strong> a key schedule. Given a key K (usually a r<strong>and</strong>om binary<br />
key of specified length), we construct the key schedule (K 1 ,K 2 ,...,K Nr ) using a fixed public algorithm; the<br />
components K r are called round keys. The round function, say g, takes two inputs: a round key K r <strong>and</strong> a<br />
current state of the plaintext being encrypted <strong>and</strong> produces the next state. The initial state is the plaintext<br />
<strong>and</strong> the last state will be the ciphertext. Therefore, the encryption algorithm looks as below:<br />
← x<br />
w 1 ← g(w 0 ,K 1 )<br />
w 2 ← g(w 1 ,K 2 )<br />
.<br />
.<br />
.<br />
.<br />
.<br />
.<br />
w Nr−1 ← g(w Nr−2 ,K Nr−1 )<br />
w Nr ← g(w Nr−1 ,K Nr )<br />
y ← w Nr<br />
w 0<br />
In order for the decryption to be possible, g has to be injective when its second argument is fixed; that is,<br />
there exists g −1 such that<br />
g −1 (g(w,k),k) = w,<br />
for all w <strong>and</strong> k. In this case the decryption is done by a similar algorithm:<br />
← y<br />
w Nr−1 ← g −1 (w Nr ,K Nr )<br />
w Nr<br />
5.2 Substitution-permutation network<br />
. . .<br />
w 1 ← g −1 (w 2 ,K 2 )<br />
w 0 ← g −1 (w 1 ,K 1 )<br />
x ← w 0<br />
A substitution-permutation network (SPN) is a special type of iterated cipher with few changes. Given l <strong>and</strong><br />
m two positive integers (lm will be the block length of the cipher), an SPN is built from two components: a<br />
substitution (which is technically a permutation)<br />
<strong>and</strong> a permutation<br />
π S : {0,1} l → {0,1} l<br />
π P : {1,2,...,lm} → {1,2,...,lm}.<br />
π S is called an S-box (‘S’ comes from “substitution”) <strong>and</strong> will be used to replace l bits with a different set of l<br />
bits. π P will be used to permute lm bits.<br />
Given an lm-bit binary string x = (x 1 ,x 2 ,...,x lm ) we regard x as a concatenation of m l-bit substrings<br />
x (1) ,x (2) ,...,x (m) . That is<br />
x = x (1) ‖x (2) ‖···‖x (m)<br />
where, for each 1 ≤ i ≤ m, we have<br />
x (i) = (x (i−1)l+1 ,...,x il ).
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 26<br />
Substitution-permutation network<br />
P = C = {0,1} lm , K ⊆ ({0,1} lm ) Nr+1<br />
encryption: Nr rounds each (except the last) including:<br />
- xor with a round key (round key mixing)<br />
- a substitution using π S<br />
- a permutation using π P<br />
SPN(x,π S ,π P ,(K 1 ,K 2 ,...,K Nr+1 ))<br />
1. w 0 ← x<br />
2. for r from 1 to Nr−1 do<br />
3. u r ← w r−1 ⊕K r<br />
4. for i from 1 to m do<br />
5. v(i) r ← π S(u r (i) )<br />
6. w r ← (vπ r P(1) ,...,vr π ) P(lm)<br />
7. u Nr ← w Nr−1 ⊕K Nr<br />
8. for i from 1 to m do<br />
9. v(i) Nr S(u Nr<br />
(i) )<br />
10. y ← v Nr ⊕K Nr+1<br />
11. return y<br />
decryption: similar with encryption just that<br />
- the S-boxes are replaced by their inverses <strong>and</strong><br />
- the key schedule is reversed.<br />
Example 5.1. Assume l = m = Nr = 4 <strong>and</strong> π S <strong>and</strong> π P defined as below (in the definition of π S each 4-tuple<br />
of bits is represented in hexadecimal):<br />
z 0 1 2 3 4 5 6 7 8 9 A B C D E F<br />
π S (z) E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7<br />
z 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16<br />
π P (z) 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 16<br />
This SPN is also shown in Fig. 6 where the S-boxes have different numbers for easier reference. They represent<br />
the same S-box namely π S .<br />
The description of our SPN is completed by specifying the key scheduling algorithm. Here is a simple<br />
possibility. We start with a 32-bit key K = (k 1 ,...,k 32 ) ∈ {0,1} 32 . For 1 ≤ r ≤ 5, define K r to contain the 16<br />
consecutive bits starting with k 4r−3 . For instance, if<br />
K = 0011 1010 1001 0100 1101 0110 0011 1111,<br />
then the round keys are<br />
If the plaintext is<br />
K 1 = 0011 1010 1001 0100<br />
K 2 = 1010 1001 0100 1101<br />
K 3 = 1001 0100 1101 0110<br />
K 4 = 0100 1101 0110 0011<br />
K 5 = 1101 0110 0011 1111<br />
x = 0010 0110 1011 0111
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 27<br />
plaintext<br />
x<br />
⊕K 1<br />
u 1<br />
S1 1 S2<br />
1 S3<br />
1<br />
S 1 4<br />
round 1<br />
v 1<br />
w 1<br />
⊕K 2<br />
u 2<br />
S 2 1<br />
S 2 2<br />
S 2 3<br />
S 2 4<br />
round 2<br />
v 2<br />
w 2<br />
⊕K 3<br />
u 3<br />
S 3 1<br />
S 3 2<br />
S 3 3<br />
S 3 4<br />
round 3<br />
v 3<br />
w 3<br />
u 4<br />
⊕K 4<br />
round 4<br />
S 4 1<br />
S 4 2<br />
S 4 3<br />
S 4 4<br />
v 4<br />
⊕K 5<br />
y<br />
ciphertext<br />
Figure 6: A substitution-permutation network<br />
then the encryption proceeds as follows:<br />
w 0 = 0010 0110 1011 0111<br />
K 1 = 0011 1010 1001 0100<br />
u 1 = 0001 1100 0010 0011<br />
v 1 = 0100 0101 1101 0001<br />
w 1 = 0010 1110 0000 0111<br />
K 2 = 1010 1001 0100 1101<br />
u 2 = 1000 0111 0100 1010<br />
v 2 = 0011 1000 0010 0110<br />
w 2 = 0100 0001 1011 1000<br />
K 3 = 1001 0100 1101 0110<br />
u 3 = 1101 0101 0110 1110<br />
v 3 = 1001 1111 1011 0000<br />
w 3 = 1110 0100 0110 1110<br />
K 4 = 0100 1101 0110 0011<br />
u 4 = 1010 1001 0000 1101<br />
v 4 = 0110 1010 1110 1001<br />
K 5 = 1101 0110 0011 1111<br />
y = 1011 1100 1101 0110
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 28<br />
Comments on SPNs:<br />
• design is simple <strong>and</strong> efficient in both software <strong>and</strong> hardware<br />
• in software, an S-box is implemented as a look-up table; memory required is l2 l bits; in Example 5.1 each<br />
S-box requires 2 6 bits; AES uses an S-box which maps 8 bits to 8 bits (key size at least 128 bits, block<br />
length 128, at least 10 rounds)<br />
• it is possible to use more than one S-box; DES uses eight different S-boxes in each round<br />
• in each round an invertible linear transformation can be included as a replacement or in addition to the<br />
permutation operation; this is done in AES<br />
5.3 Linear cryptanalysis<br />
We start by describing the basic idea which can be applied, in principle, to any iterated cipher. Suppose it<br />
is possible to find a probabilistic linear relationship between a subset of plaintext bits <strong>and</strong> a subset of state<br />
bits immediately preceding the substitutions performed in the last round. In other words, there exists a subset<br />
of bits whose xor behaves in a non-r<strong>and</strong>om fashion; that is, it takes on the value 0 (or 1) with a probability<br />
bounded away from 1/2. Now assume the attacker has a large number of plaintext-ciphertext pairs, all of which<br />
are encrypted with the same unknown key K; i.e., we have a known plaintext attack. For each of the plaintextciphertext<br />
pairs, we will begin to decrypt the ciphertext, using all possible c<strong>and</strong>idate keys for the last round<br />
of the cipher. For each c<strong>and</strong>idate key, we compute the values of the relevant state bits involved in the linear<br />
relationship <strong>and</strong> determine if the above mentioned linear relationship holds. Whenever it does, we increment a<br />
counter corresponding to the particular c<strong>and</strong>idate key. At the end of the process we hope that the c<strong>and</strong>idate<br />
key that has a frequency count that is furthest from 1/2 times the number of pairs contains the correct values<br />
for the key bits involved.<br />
5.3.1 The piling-up lemma<br />
Consider X i , i = 1,2,3,... independent r<strong>and</strong>om variables taking values from {0,1} <strong>and</strong> suppose that<br />
The independence of X i <strong>and</strong> X j implies<br />
Prob[X i = 0] = p i .<br />
Prob[X i ⊕X j = 0] = p i p j +(1−p i )(1−p j ),<br />
□<br />
The bias of X i is<br />
Prob[X i ⊕X j = 1] = p i (1−p j )+(1−p i )p j .<br />
ǫ i = p i − 1 2 .<br />
Notice that −1/2 ≤ ǫ i ≤ 1/2, Prob[X i = 0] = 1/2+ǫ i , <strong>and</strong> Prob[X i = 1] = 1/2−ǫ i .<br />
For i 1 < i 2 < ··· < i k , let ǫ i1,i 2,...,i k<br />
denote the bias of the r<strong>and</strong>om variable X i1 ⊕X i2 ⊕···⊕X ik .<br />
Lemma 5.2 (Piling-up lemma). If ǫ i1,i 2,...,i k<br />
is the bias of the r<strong>and</strong>om variable X i1 ⊕X i2 ⊕···⊕X ik , then<br />
∏<br />
k<br />
ǫ i1,i 2,...,i k<br />
= 2 k−1 ǫ ij .<br />
Corollary 5.3. If ǫ i1,i 2,...,i k<br />
is the bias of the r<strong>and</strong>om variable X i1 ⊕X i2 ⊕···⊕X ik <strong>and</strong> ǫ ij = 0 for some j,<br />
then ǫ i1,i 2,...,i k<br />
= 0.<br />
It is important to notice that the piling-up lemma holds, in general, only when the r<strong>and</strong>om variables are<br />
independent. As an example, consider independent X 1 ,X 2 ,X 3 with ǫ i = 1/4 for all i. With piling lemma we get<br />
ǫ 1,2 = ǫ 1,3 = ǫ 2,3 = 1/8. Considering the two variables X 1 ⊕X 2 <strong>and</strong> X 2 ⊕X 3 . We have (X 1 ⊕X 2 )⊕(X 2 ⊕X 3 ) =<br />
X 1 ⊕X 3 . If X 1 ⊕X 2 <strong>and</strong> X 2 ⊕X 3 were independent we would have ǫ 1,3 = 2(1/8) 2 = 1/32. But ǫ 1,3 = 1/8.<br />
j=1
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 29<br />
5.4 Linear approximation of S-boxes<br />
Consider a general S-box π S : {0,1} m → {0,1} n ; notice that we do not require that m = n. An input is<br />
X = (X 1 ,...,X m ), where each x i defines a r<strong>and</strong>om variable X i taking on values 0 <strong>and</strong> 1 <strong>and</strong> having bias ǫ i = 0;<br />
these variables are independent.<br />
The output is Y = (y 1 ,...,y n ) <strong>and</strong> each y i defines a variable Y i . Clearly, these variables are not independent<br />
from each other <strong>and</strong> from the X i ’s.<br />
Next, we compute the bias of variables of the form<br />
X i1 ⊕···⊕X ik ⊕Y j1 ⊕···⊕Y jl .<br />
A linear cryptanalytic attack can be potentially mounted when a r<strong>and</strong>om variable of this form has a bias that<br />
is bounded away from 0.<br />
Example 5.4. Forthe S-boxinExample5.1, wecomputeallpossiblevaluestakenbytheeightr<strong>and</strong>omvariables<br />
X 1 ,...,X 4 ,Y 1 ,...,Y 4 in the table below.<br />
X 1 X 2 X 3 X 4 Y 1 Y 2 Y 3 Y 4 X 1 ⊕X 4 ⊕Y 2 X 3 ⊕X 4 ⊕Y 1 ⊕Y 4<br />
0 0 0 0 1 1 1 0 1 1<br />
0 0 0 1 0 1 0 0 0 1<br />
0 0 1 0 1 1 0 1 1 1<br />
0 0 1 1 0 0 0 1 1 1<br />
0 1 0 0 0 0 1 0 0 0<br />
0 1 0 1 1 1 1 1 0 1<br />
0 1 1 0 1 0 1 1 0 1<br />
0 1 1 1 1 0 0 0 1 1<br />
1 0 0 0 0 0 1 1 1 1<br />
1 0 0 1 1 0 1 0 0 0<br />
1 0 1 0 0 1 1 0 0 1<br />
1 0 1 1 1 1 0 0 1 1<br />
1 1 0 0 0 1 0 1 0 1<br />
1 1 0 1 1 0 0 1 0 1<br />
1 1 1 0 0 0 0 0 1 1<br />
1 1 1 1 0 1 1 1 1 1<br />
If we consider now the r<strong>and</strong>om variable X 1 ⊕X 4 ⊕Y 2 , the bias of this variable is 0 as seen in the table above.<br />
So, it is not suitable for a linear cryptanalytic attack. On the other h<strong>and</strong>, the r<strong>and</strong>om variable X 3 ⊕X 4 ⊕Y 1 ⊕Y 4<br />
has bias −3/8, see the above table.<br />
□<br />
We next compute the biases of all 2 8 = 256 r<strong>and</strong>om variables of this form. We represent each such r<strong>and</strong>om<br />
variable in the form<br />
( 4⊕ ( 4⊕ )<br />
a i X i<br />
)⊕ b i Y i<br />
i=1<br />
where a i ,b i ∈ {0,1}. We then treat each 4-tuple a = (a 1 ,a 2 ,a 3 ,a 4 ) <strong>and</strong> b = (b 1 ,b 2 ,b 3 ,b 4 ) as a hexadecimal<br />
digit; the former is called input sum <strong>and</strong> the latter is called output sum. We denote by N L (a,b) the number of<br />
binary 8-tuples (x 1 ,x 2 ,x 3 ,x 4 ,y 1 ,y 2 ,y 3 ,y 4 ) such that<br />
<strong>and</strong><br />
i=1<br />
π s (x 1 ,x 2 ,x 3 ,x 4 ) = (y 1 ,y 2 ,y 3 ,y 4 )<br />
( 4⊕ ( 4⊕ )<br />
a i x i<br />
)⊕ b i y i = 0.<br />
Notice that the bias of a r<strong>and</strong>om variable having input sum a <strong>and</strong> output sum b is<br />
i=1<br />
i=1<br />
ǫ(a,b) = N L(a,b)−8<br />
.<br />
16
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 30<br />
The table containing all values of N L is called the linear approximation table. For our example, it is shown in<br />
Fig. 7.<br />
N L (a,b)<br />
a<br />
(input<br />
sum)<br />
b (output sum)<br />
0 1 2 3 4 5 6 7 8 9 A B C D E F<br />
0 16 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8<br />
1 8 8 6 6 8 8 6 14 10 10 8 8 10 10 8 8<br />
2 8 8 6 6 8 8 6 6 8 8 10 10 8 8 2 10<br />
3 8 8 8 8 8 8 8 8 10 2 6 6 10 10 6 6<br />
4 8 10 8 6 6 4 6 8 8 6 8 10 10 4 10 8<br />
5 8 6 6 8 6 8 12 10 6 8 4 10 8 6 6 8<br />
6 8 10 6 12 10 8 8 10 8 6 10 12 6 8 8 6<br />
7 8 6 8 10 10 4 10 8 6 8 10 8 12 10 8 10<br />
8 8 8 8 8 8 8 8 8 6 10 10 6 10 6 6 2<br />
9 8 8 6 6 8 8 6 6 4 8 6 10 8 12 10 6<br />
A 8 12 6 10 4 8 10 6 10 10 8 8 10 10 8 8<br />
B 8 12 8 4 12 8 12 8 8 8 8 8 8 8 8 8<br />
C 8 6 12 6 6 8 10 8 10 8 10 12 8 10 8 6<br />
D 8 10 10 8 6 12 8 10 4 6 10 8 10 8 8 10<br />
E 8 10 10 8 6 4 8 10 6 8 8 6 4 10 6 8<br />
F 8 6 4 6 6 8 10 8 8 6 12 6 6 8 10 8<br />
Figure 7: A linear approximation table<br />
5.5 A linear attack on SPN<br />
Linear cryptanalysis requires finding a set of linear approximations of S-boxes that can be used to derive a<br />
linear approximation of the entire SPN (excluding the last round).<br />
We will illustrate the procedure using the SPN in Example 5.1. The attack is also shown in Fig. 8; thick<br />
lines correspond to r<strong>and</strong>om variables which are involved in the linear approximations <strong>and</strong> the labelled S-boxes<br />
are the ones involved in the approximations – they are called active S-boxes.<br />
The approximation incorporates four active S-boxes:<br />
• in S 1 2: the r<strong>and</strong>om variable T 1 = U 1 5 ⊕U 1 7 ⊕U 1 8 ⊕V 1<br />
6 has bias 1/4;<br />
• in S 2 2: the r<strong>and</strong>om variable T 2 = U 2 6 ⊕V 2<br />
6 ⊕V 2<br />
8 has bias −1/4;<br />
• in S 3 2: the r<strong>and</strong>om variable T 3 = U 3 6 ⊕V 3<br />
6 ⊕V 3<br />
8 has bias −1/4;<br />
• in S 3 4: the r<strong>and</strong>om variable T 4 = U 3 14 ⊕V 3<br />
14 ⊕V 3<br />
16 has bias −1/4;<br />
The four r<strong>and</strong>om variables T i have biases which are high in absolute value. Also, their xor will lead to<br />
cancellations of intermediate r<strong>and</strong>om variables.<br />
If we make the assumption that these four r<strong>and</strong>om variables are independent, then we can compute the bias<br />
of their xor<br />
T 1 ⊕T 2 ⊕T 3 ⊕T 4<br />
using the piling lemma. (Actually, these variables are not independent, which means that piling lemma will not<br />
give the correct result. However, it gives in practice a reasonably good approximation which works well for our<br />
attack.) Therefore, by piling lemma, we hypothesize that the r<strong>and</strong>om variable T 1 ⊕T 2 ⊕T 3 ⊕T 4 has bias −1/32.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 31<br />
X 7 X 8<br />
x<br />
K5 1 K7<br />
1 K8<br />
1<br />
⊕K 1<br />
u 1<br />
S 1 2<br />
v 1<br />
w 1<br />
K 2 6<br />
⊕K 2<br />
u 2<br />
S 2 2<br />
v 2<br />
w 2<br />
K 3 6<br />
K 3 14<br />
⊕K 3<br />
u 3<br />
v 3<br />
S 3 2<br />
S 3 4<br />
w 3<br />
K 4 6<br />
K 4 8<br />
K 4 14<br />
K 4 16<br />
⊕K 4<br />
u 4<br />
U 4 6<br />
U 4 8<br />
X 5<br />
U 4 16<br />
U 4 14<br />
v 4<br />
y<br />
K 5 5 ...K5 8 K 5 13 ...K5 16<br />
⊕K 5<br />
Figure 8: A linear approximation of a substitution-permutation network<br />
Next, we can write (see Fig. 8)<br />
The xor T 1 ⊕T 2 ⊕T 3 ⊕T 4 becomes<br />
T 1 = X 5 ⊕K5 1 ⊕X 7 ⊕K7 1 ⊕X 8 ⊕K8 1 ⊕V1 6<br />
T 2 = V6 1 ⊕K2 6 ⊕V2 6 ⊕V2 8<br />
T 3 = V6 2 ⊕K6 3 ⊕U6 4 ⊕K6 4 ⊕U14 4 ⊕K14<br />
4<br />
T 4 = V8 2 ⊕K3 14 ⊕U4 8 ⊕K4 8 ⊕U4 16 ⊕K4 16<br />
X 5 ⊕X 7 ⊕X 8 ⊕U 4 6 ⊕U 4 8 ⊕U 4 14 ⊕U 4 16 ⊕K 1 5 ⊕K 1 7 ⊕K 1 8 ⊕K 2 6 ⊕K 3 6 ⊕K 3 14 ⊕K 4 6 ⊕K 4 8 ⊕K 4 14 ⊕K 4 16<br />
<strong>and</strong> so the last r<strong>and</strong>om variable had also bias (approximately) −1/32. It involves only bits of plaintext, of u 4 ,<br />
<strong>and</strong> of the key. Suppose that the key bits are fixed. Then the r<strong>and</strong>om variable<br />
K 1 5 ⊕K 1 7 ⊕K 1 8 ⊕K 2 6 ⊕K 3 6 ⊕K 3 14 ⊕K 4 6 ⊕K 4 8 ⊕K 4 14 ⊕K 4 16<br />
has a fixed value, 0 or 1. Therefore, the r<strong>and</strong>om variable<br />
X 5 ⊕X 7 ⊕X 8 ⊕U 4 6 ⊕U4 8 ⊕U4 14 ⊕U4 16
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 32<br />
has bias ±1/32 (approximately), depending on the values of the key bits. This bias will allow us to carry the<br />
linear attack.<br />
Assume we have N l plaintext-ciphertext pairs, all using the same unknown key K. The attack will allow us<br />
to obtain the key bits<br />
K 5 5 ,K5 6 ,K5 7 ,K5 8 ,K5 13 ,K5 14 ,K5 15 ,K5 16 ,<br />
that is, the eight key bits that are xored with the output of the S-boxes S2 4 <strong>and</strong> S4. 4 (They correspond to the<br />
bits of u 4 involved in our linear relation.)<br />
There are 2 8 = 256 possibilities for these eight bits. Any binary 8-tuple containing values for these eight<br />
key bits will be called a c<strong>and</strong>idate subkey.<br />
For each pair (x,y) of plaintext-ciphertext <strong>and</strong> each c<strong>and</strong>idate subkey, we compute a partial decryption of<br />
y to obtain the resulting values for u 4 (2) <strong>and</strong> u4 (4). Then we compute the value<br />
x 5 ⊕x 7 ⊕x 8 ⊕u 4 6 ⊕u4 8 ⊕u4 14 ⊕u4 16 .<br />
Wemaintainanarrayofcountersindexedbythe256c<strong>and</strong>idatesubkeys<strong>and</strong>incrementthecountercorresponding<br />
to a particular subkey whenever the previous result is 0.<br />
At the end, we expect most counters to be close to N l /2 but the counter for the correct c<strong>and</strong>idate key will<br />
be close to N l /2±N l /32. This will hopefully allow us to identify the correct subkey.<br />
For our example, some partial results for the counters corresponding to the c<strong>and</strong>idate subkeys are shown in<br />
the table below; there N l = 10000 <strong>and</strong> |bias| = |count−5000|/10000. Notice that the value corresponding to<br />
the subkey (2,4) hex has the corresponding value 0.0336 very close to the expected 1/32 = 0.03125.<br />
5.6 Complexity of attack<br />
c<strong>and</strong>idate subkey |bias|<br />
(K5 5,...,K5 8 ,K5 13 ,...,K5 16 )<br />
1 C 0.0031<br />
1 D 0.0078<br />
1 E 0.0071<br />
1 F 0.0170<br />
2 0 0.0025<br />
2 1 0.0220<br />
2 2 0.0211<br />
2 3 0.0064<br />
2 4 0.0336<br />
2 5 0.0106<br />
2 6 0.0096<br />
2 7 0.0074<br />
2 8 0.0224<br />
2 9 0.0054<br />
2 A 0.0044<br />
2 B 0.0186<br />
2 C 0.0094<br />
Let ǫ denote the bias of the probability that the linear expression for the complete cipher holds. The number<br />
N l of known plaintext-ciphertext required is approximated to be<br />
N l ≈ 1/ǫ 2 .<br />
In practice N l is a small multiple of 1/ǫ 2 . In our example, N l was about ten times ǫ 2 .
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 33<br />
5.7 Differential cryptanalysis<br />
Differential cryptanalysis is similar to linear cryptanalysis in many respects. The main difference is that differential<br />
cryptanalysis involves comparing the xor of two inputs to the xor of the corresponding two outputs.<br />
We will be looking at (binary) inputs x <strong>and</strong> x ∗ <strong>and</strong> denote their xor by x ′ = x⊕x ∗ .<br />
Differential cryptanalysis is chosen plaintext attack. We assume that the attacker has a large number of<br />
4-tuples (x,x ∗ ,y,y ∗ ) where the xor value x ′ = x⊕x ∗ is fixed. The plaintexts x <strong>and</strong> x ∗ are encrypted using the<br />
same unknown key K, yielding the ciphertexts y <strong>and</strong> y ∗ , resp. For each such 4-tuple, we will begin to decrypt<br />
the ciphertexts y <strong>and</strong> y ∗ using all possible c<strong>and</strong>idate keys for the last round of the cipher. For each c<strong>and</strong>idate<br />
key, we compute the values of certain state bits <strong>and</strong> determine if their xor has the value which is most likely for<br />
the given input xor. Whenever it does, we increment a counter corresponding to the particular c<strong>and</strong>idate key.<br />
At the end, we hope that the c<strong>and</strong>idate key with the highest frequency count contains the right values for the<br />
key bits involved.<br />
Let π S : {0,1} m → {0,1} n be an S-box. For a pair of m-bit strings (x,x ∗ ), we say that x⊕x ∗ is the input<br />
xor of the S-box <strong>and</strong> π S (x)⊕π S (x ∗ ) is the output xor of the S-box. For an m-bit string x ′ , we denote by ∆(x ′ )<br />
the set of all pairs (x,x ∗ ) with input xor equal to x ′ . It is easy to see that ∆(x ′ ) contains 2 m pairs <strong>and</strong><br />
∆(x ′ ) = {(x,x⊕x ′ ) | x ∈ {0,1} m }.<br />
For each pair in ∆(x ′ ) (i.e., the same input xor) we compute the output xor <strong>and</strong> then tabulate the results.<br />
There are 2 m output xors which are distributed among 2 n possible values. A non-uniform output distribution<br />
will be the basis for an attack.<br />
Example 5.5. For the S-box in Example 5.1, consider the input xor x ′ = 1011. The table below contains<br />
the values of ∆(1011) in the first two columns, <strong>and</strong> then the outputs of the S-box <strong>and</strong>, in the last column, the<br />
output xor.<br />
x x ∗ = x⊕1011 y = π S (x) y ∗ = π S (x ∗ ) y ′ = y ⊕y ∗<br />
0000 1011 1110 1100 0010<br />
0001 1010 0100 0110 0010<br />
0010 1001 1101 1010 0111<br />
0011 1000 0001 0011 0010<br />
0100 1111 0010 0111 0101<br />
0101 1110 1111 0000 1111<br />
0110 1101 1011 1001 0010<br />
0111 1100 1000 0101 1101<br />
1000 0011 0011 0001 0010<br />
1001 0010 1010 1101 0111<br />
1010 0001 0110 0100 0010<br />
1011 0000 1100 1110 0010<br />
1100 0111 0101 1000 1101<br />
1101 0110 1001 1011 0010<br />
1110 0101 0000 1111 1111<br />
1111 0100 0111 0010 0101<br />
The corresponding output xor distribution is (given by the last column)<br />
0000 0001 0010 0011 0100 0101 0110 0111<br />
0 0 8 0 0 2 0 2<br />
1000 1001 1010 1011 1100 1101 1110 1111<br />
0 0 0 0 0 2 0 2<br />
□
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 34<br />
We can do the same as above for all input xors. Denote, for an input xor x ′ <strong>and</strong> an output xor y ′ the number<br />
of the input pairs with input xor x ′ <strong>and</strong> output xor y ′ by N D (x ′ ,y ′ ), that is,<br />
N D (x ′ ,y ′ ) = card({(x,x ∗ ) ∈ ∆(x ′ ) | π S (x)⊕π S (x ∗ ) = y ′ }).<br />
All values of N D (x ′ ,y ′ ) for our example are shown in Fig. 9.<br />
N D (x ′ ,y ′ )<br />
x ′<br />
(input<br />
xor)<br />
y ′ (output xor)<br />
0 1 2 3 4 5 6 7 8 9 A B C D E F<br />
0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0<br />
1 0 0 0 2 0 0 0 2 0 2 4 0 4 2 0 0<br />
2 0 0 0 2 0 6 2 2 0 2 0 0 0 0 2 0<br />
3 0 0 2 0 2 0 0 0 0 4 2 0 2 0 0 4<br />
4 0 0 0 2 0 0 6 0 0 2 0 4 2 0 0 0<br />
5 0 4 0 0 0 2 2 0 0 0 4 0 2 0 0 2<br />
6 0 0 0 4 0 4 0 0 0 0 0 0 2 2 2 2<br />
7 0 0 2 2 2 0 2 0 0 2 2 0 0 0 0 4<br />
8 0 0 0 0 0 0 2 2 0 0 0 4 0 4 2 2<br />
9 0 2 0 0 2 0 0 4 2 0 2 2 2 0 0 0<br />
A 0 2 2 0 0 0 0 0 6 0 0 2 0 0 4 0<br />
B 0 0 8 0 0 2 0 2 0 0 0 0 0 2 0 2<br />
C 0 2 0 0 2 2 2 0 0 0 0 2 0 6 0 0<br />
D 0 4 0 0 0 0 0 4 2 0 2 0 2 0 2 0<br />
E 0 0 2 4 2 0 0 0 6 0 0 0 0 0 2 0<br />
F 0 2 0 0 6 0 0 0 0 4 0 2 0 0 2 0<br />
Figure 9: A difference distribution table<br />
Notice next that the input xors to S-boxes is<br />
u r (i) ⊕(ur (i) )∗ = (w r−1<br />
(i)<br />
⊕K(i) r )⊕((wr−1 (i) )∗ ⊕K(i) r ) = wr−1 (i)<br />
⊕(w r−1<br />
(i) )∗<br />
so it does not depend on the key used in the same round; it is equal to the permuted output xor of the previous<br />
round.<br />
For an input xor x ′ <strong>and</strong> an output xor y ′ , the pair (x ′ ,y ′ ) is called a differential. Each entry in the difference<br />
distribution table gives rise to a xor propagation ratio. For the corresponding differential,<br />
R p (x ′ ,y ′ ) = N D(x ′ ,y ′ )<br />
2 m .<br />
R p (x ′ ,y ′ ) can also be interpreted as a conditional probability:<br />
R p (x ′ ,y ′ ) = Prob[output xor = y ′ | input xor = x ′ ].<br />
The idea is to find propagation ratios for differentials in consecutive rounds of an SPN such that the input<br />
xor of a differential in any round is the same as the permuted output xor of the differentials in the previous<br />
round. Then these differentials can be combined to make a differential trail. We make the assumption that<br />
the propagation ratios in the differential trail are independent, which is not mathematically true in general.<br />
However, it is a reasonably good approximation in practice to multiply the propagation ratios (as they were<br />
independent) to obtain the propagation ratio of the entire trail.<br />
For our working SPN example, we can choose the following differentials, see Fig. 10 (the thick lines show<br />
the differential trail):<br />
• in S 1 2 : R p(1011,0010)= 1/2;
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 35<br />
x ′ = 0000 1011 0000 0000<br />
x<br />
u 1<br />
S 1 2<br />
v 1<br />
w 1<br />
u 2<br />
⊕K 1<br />
⊕K 2<br />
S 2 3<br />
v 2<br />
w 2<br />
⊕K 3<br />
u 3<br />
S 3 2 S 3 3<br />
v 3<br />
w 3<br />
⊕K 4<br />
u 4<br />
v 4<br />
⊕K 5<br />
y<br />
Figure 10: A differential trail of a substitution-permutation network<br />
• in S 2 3 : R p(0100,0110)= 3/8;<br />
• in S 3 2 : R p(0010,0101)= 3/8;<br />
• in S 3 3 : R p(0010,0101)= 3/8.<br />
Now, the propagation ratio for this trail is:<br />
This means that<br />
with probability 27/1024. Therefore,<br />
with the same probability 27/1024.<br />
R p (0000 1011 0000 0000,0000 0101 0101 0000) = 27<br />
1024 .<br />
x ′ = 0000 1011 0000 0000 implies that (v 3 ) ′ = 0000 0101 0101 0000<br />
x ′ = 0000 1011 0000 0000 implies that (u 4 ) ′ = 0000 0110 0000 0110
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 36<br />
Thealgorithmfollowsnowthe informaldescriptionatthe beginningofthissection. Somevaluesareshownin<br />
the table below; N d = 50004-tuples with rightinput <strong>and</strong> output xorswereused; in the table prob = count/5000.<br />
c<strong>and</strong>idate subkey prob<br />
(K5 5,...,K5 8 ,K5 13 ,...,K5 16 )<br />
1 C 0.0000<br />
1 D 0.0000<br />
1 E 0.0000<br />
1 F 0.0000<br />
2 0 0.0000<br />
2 1 0.0136<br />
2 2 0.0068<br />
2 3 0.0068<br />
2 4 0.0244<br />
2 5 0.0000<br />
2 6 0.0068<br />
2 7 0.0068<br />
2 8 0.0030<br />
2 9 0.0024<br />
2 A 0.0032<br />
2 B 0.0022<br />
2 C 0.0000<br />
Notice that the value corresponding to the subkey (2,4) hex has the corresponding value 0.0244 very close to the<br />
expected 27/1024≈ 0.0264.<br />
About the complexity of the attack, if p is the propagation ratio of the differential trail being used, then the<br />
number of 4-tuples required is approximated to be<br />
In practice, N d is a small multiple of 1/p.<br />
5.8 Applications to DES<br />
N d ≈ 1/p.<br />
In the case of DES, the linear cryptanalysis is the more efficient out of the two. A number of 2 43 plaintext/ciphertext<br />
pairs, all of which are encrypted with the same unknown key were used for a linear attack<br />
against DES.<br />
It is interesting to notice that the number of operations required to break a 16-round DES using differential<br />
cryptanalysis is 2 55.1 compared to 2 55 used by brute force. So, there is a very good reason behind the number<br />
of rounds of DES.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 37<br />
6 FINITE FIELDS<br />
6.1 Definitions<br />
Given a set S <strong>and</strong> a binary operation ∗, we say that S is closed under ∗ if, for any a,b ∈ S, we have a∗b ∈ S.<br />
We shall assume in the sequel that the sets are closed under the operations we consider.<br />
Example 6.1. The set {1,2,...,n} is not closed under +.<br />
□<br />
A group is a structure (S,∗) such that<br />
(i) ∗ is associative: for all a,b,c ∈S, a∗(b∗c) = (a∗b)∗c<br />
(ii) it has identity, 1 S : for any a ∈ S, a∗1 S = 1 S ∗a = a<br />
(iii) each element a ∈ S has an inverse a ′ ∈ S: a∗a ′ = a ′ ∗a = 1 S<br />
A group (S,∗) is called abelian (commutative) if ∗ is commutative: for all a,b ∈ S, a∗b = b∗a.<br />
(S,∗) with (i) above is called semigroup <strong>and</strong> with (i)-(ii) is called monoid.<br />
Example 6.2. (Z,+) is abelian group. The set of all permutations on n elements S n = {π | π : {1,2,...,n} →<br />
{1,2,...,n},π bijective}withcomposition◦isagroupwhichisnotcommutative; forinstance, ( ) (<br />
1 2 3<br />
2 1 3 ◦ 1 2 3<br />
( 3 1 2)<br />
=<br />
1 2 3<br />
) (<br />
1 3 2 but 1 2 3<br />
) (<br />
3 1 2 ◦ 1 2 3<br />
) (<br />
2 1 3 = 1 2 3<br />
3 2 1)<br />
The set of positive integers N with addition is not group because there<br />
are no inverses; it is a commutative monoid. N−{0} is a commutative semigroup. (Z,×) is not a group because<br />
there are no inverses; it is a commutative monoid.<br />
□<br />
A ring is a structure (S,+,×) such that<br />
(i) (S,+) is abelian group (additive identity is denoted 0 <strong>and</strong> additive inverse of a is denoted −a)<br />
(ii) (S,×) is a semigroup<br />
(iii) it has distributivity: for all a,b,c ∈ S, a×(b+c) = (a×b)+(a×c) <strong>and</strong> (b+c)×a = (b×a)+(c×a)<br />
A field is a structure (S,+,×) such that<br />
(i) (S,+) is abelian group<br />
(ii) (S −{0},×) is abelian group (multiplicative identity is 1 <strong>and</strong> multiplicative inverse of a is a −1 )<br />
(iii) it has distributivity<br />
Example 6.3. (Z,+,×) is a ring but not a field. (Z n ,+,×) is a ring but, in general, not a field because only<br />
elements coprime with n are invertible. If p is prime, then (Z p ,+,×) is a field. Also (Q,+,×) <strong>and</strong> (R,+,×)<br />
are fields, but we shall be interested in finite fields only.<br />
□<br />
6.2 Modular arithmetic<br />
Recall that a is congruent to b modulo n, denoted a ≡ b (mod n) iff n | a−b. The remainder of a modulo n is<br />
denoted a mod n. Here are some properties of congruences:<br />
(i) a ≡ a (mod n)<br />
(ii) if a ≡ b (mod n), then b ≡ a (mod n)<br />
(iii) if a ≡ b (mod n) <strong>and</strong> b ≡ c (mod n), then a ≡ c (mod n)<br />
(iv) if a ≡ b (mod n) <strong>and</strong> c ≡ d (mod n), then a±c ≡ b±d (mod n)<br />
(v) if a ≡ b (mod n) <strong>and</strong> d | n, then a ≡ b (mod d)<br />
(vi) if a ≡ b (mod n) <strong>and</strong> a ≡ b (mod m) with gcd(n,m) = 1, then a ≡ b (mod nm)<br />
The set of residue classes modulo n is denoted Z n <strong>and</strong> (Z n ,+,×) is a commutative ring. If p is prime, then<br />
(Z p ,+,×) is a field.<br />
The greatest common divisor of a <strong>and</strong> b is the largest common divisor of a <strong>and</strong> b. It is computed by the<br />
Euclidean algorithm.<br />
Euclidean Algorithm<br />
- given: two positive integers r 0 <strong>and</strong> r 1 with r 0 > r 1<br />
- computes: gcd(r 0 ,r 1 )<br />
Algorithm:
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 38<br />
1. perform the following sequence of divisions<br />
2. return gcd(r 0 ,r 1 ) = r m<br />
r 0 = q 1 r 1 +r 2 , 0 < r 2 < r 1<br />
r 1 = q 2 r 2 +r 3 , 0 < r 3 < r 2<br />
.<br />
.<br />
= q m−1 r m−1 +r m , 0 < r m < r m−1<br />
= q m r m<br />
r m−2<br />
r m−1<br />
Also, as we know, b ∈ Z n is invertible iff gcd(b,n) = 1. In such a case, the inverse b −1 of a modulo n is<br />
computed by the Extended Euclidean algorithm. The set of invertible elements is denoted<br />
Z ∗ n<br />
Z ∗ n = {b ∈ Z n | gcd(b,n) = 1}<br />
is an abelian group under multiplication.<br />
Put:<br />
t 0 = 0<br />
t 1 = 1<br />
t j = (t j−2 −q j−1 t j−1 ) mod r 0 , if j ≥ 2<br />
Theorem 6.4. If gcd(r 0 ,r 1 ) = 1, then t m = r −1<br />
1 mod r 0 .<br />
Proof. For any 1 ≤ j ≤ m, we have r j ≡ t j r 1 (mod r 0 ). Since r m = gcd(r 0 ,r 1 ) = 1, we get 1 ≡ t m r 1<br />
(mod r 0 ), as claimed.<br />
□<br />
Extended Euclidean Algorithm<br />
- given: two positive integers n <strong>and</strong> b<br />
- computes: the inverse of b modulo n, b −1 mod n, if it exists<br />
Algorithm:<br />
1. n 0 = n<br />
2. b 0 = b<br />
3. t 0 = 0<br />
4. t = 1<br />
5. q = ⌊ n0<br />
b 0<br />
⌋<br />
6. r = n 0 −qb 0<br />
7. while r > 0 do<br />
8. temp = t 0 −qt<br />
9. if temp ≥ 0 then temp = temp mod n<br />
10. else temp = n−((−temp) mod n)<br />
11. t 0 = t<br />
12. t = temp<br />
13. n 0 = b 0<br />
14. b 0 = r<br />
15. q = ⌊ n0<br />
b 0<br />
⌋<br />
16. r = n 0 −qb 0<br />
17. if b 0 ≠ 1 then output b has no inverse modulo n<br />
18. else return b −1 = t mod n<br />
Note: Steps 9 <strong>and</strong> 10 – in some programming languages modular reductions yield negative results
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 39<br />
Example 6.5. Let us compute 28 −1 mod 75. We have the computations below<br />
i r i q i t i<br />
0 75 0<br />
1 28 2 1<br />
2 19 1 −2<br />
3 9 2 3<br />
4 1 9 −8<br />
Therefore, 28 −1 mod 75 = (−8) mod 75 = 67.<br />
□<br />
6.3 Polynomial rings<br />
Given a commutative ring (R,+,·), consider the set of polynomials in the indeterminate x<br />
R[x] = {a n x n +···+a 1 x+a 0 | n ≥ 0,a i ∈ R}.<br />
Addition <strong>and</strong> multiplication in R[x] is defined using the operations in R:<br />
n∑ m∑<br />
a i x i + b i x i =<br />
i=0<br />
i=0<br />
i=0<br />
i=0<br />
Notice that, in general, we have:<br />
- in a ring, long division: a = qb+r,<br />
- in a field, exact division: a = qb, where q = ab −1 .<br />
max(n,m)<br />
∑<br />
i=0<br />
i=0<br />
(a i +b i )x i ,<br />
n∑ m∑<br />
n+m<br />
∑<br />
( a i x i )·( b i x i ) = ( ∑<br />
a j b k )x i .<br />
j+k=i<br />
Example 6.6. In Z, 5/3 is 5 = 1×3+2. In Z 7 , 5/3 = 5×3 −1 = 5×5 = 4.<br />
Therefore, if we want division in a polynomial ring, we need that the coefficients form a field. Otherwise,<br />
even long division might not be possible.<br />
□<br />
Example 6.7. In Z[x], 5x2<br />
3x is not possible. In Z 7[x], 5x2<br />
3x = 4x.<br />
We shall therefore consider polynomial rings of the form Z p [x] with p prime.<br />
□<br />
6.4 The ring Z p [x]<br />
For f(x),g(x) ∈ Z p [x], we say that f(x) divides g(x), denoted f(x) | g(x) iff there is q(x) ∈ Z p [x] such that<br />
f(x)q(x) = g(x). The degree of f(x), denoted deg(f), is the highest exponent on x in f(x). We say that g(x)<br />
<strong>and</strong> h(x) are congruent modulo f(x) iff f(x) | g(x)−h(x).<br />
Also, long division is possible here. There exist unique q(x) <strong>and</strong> r(x) such that g(x) = q(x)f(x)+r(x) <strong>and</strong><br />
deg(r) < deg(f). Therefore, g(x) is congruent modulo f(x) to a unique polynomial of degree strictly less than<br />
f(x).<br />
Example 6.8. Fig 4.4 shows some examples of operations in Z 2 [x].<br />
A polynomial f(x) is called irreducible iff there are no polynomials f 1 (x) <strong>and</strong> f 2 (x) both of non-zero degree<br />
such that f(x) = f 1 (x)f 2 (x).<br />
Z is a ring which is not a field. Using a prime p we can build Z p which is a field. Similarly, Z p [x] is not a<br />
field but we can construct one using an irreducible polynomial f(x) <strong>and</strong> the set of all residue classes modulo<br />
f(x), denoted Z p [x]/f(x). The operations in Z p [x]/f(x) are as in Z p [x] but followed by a reduction modulo<br />
f(x).<br />
We also notice that both Euclidean algorithm <strong>and</strong> extended Euclidean algorithm work in Z p [x]/f(x) unchanged.<br />
□
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 40<br />
Example 6.9. It can be verified that x 8 +x 4 +x 3 +x+1 is irreducible. Let us compute in gcd(x 7 +x+1,x 8 +<br />
x 4 +x 3 +x+1) <strong>and</strong> (x 7 +x+1) −1 mod (x 8 +x 4 +x 3 +x+1). The computations are shown in the table below<br />
i r i q i t i<br />
0 x 8 +x 4 +x 3 +x+1 0<br />
1 x 7 +x+1 x 1<br />
2 x 4 +x 3 +x 2 +1 x 3 +x 2 +1 x<br />
3 x x 3 +x 2 +x x 4 +x 3 +x+1<br />
4 1 x x 7<br />
Thus, gcd(x 7 +x+1,x 8 +x 4 +x 3 +x+1) = 1 <strong>and</strong> (x 7 +x+1) −1 mod (x 8 +x 4 +x 3 +x+1) = x 7 .<br />
□<br />
6.5 Finite fields<br />
If can be shown that the number of elements in any finite field is a power of a prime, that is, p n , p prime, n ≥ 1.<br />
The finite field with p n elements is denoted F p n or GF(p n ). For n = 1, F p is isomorphic to Z p . For n ≥ 2, F p n<br />
is isomorphic to Z p [x]/f(x), where f(x) is an irreducible polynomial of degree n. (It has p n elements because<br />
there are n coeficients which can take p values.) For any irreducible polynomial f(x) an isomorphic field is<br />
obtained.<br />
Example 6.10. A field with 8 = 2 3 elements can be constructed using Z 2 [x] <strong>and</strong> the irreducible polynomial<br />
x 3 +x+1, that is Z 2 [x]/(x 3 +x+1).<br />
□<br />
6.6 Motivation for using finite fields<br />
All encryption algorithms use arithmetic. So, if we need division, then we have to work in a field (see the above<br />
examples). Second, for convenience <strong>and</strong> implementations issues, we work with integers that fit into a number<br />
of bits, that is, we work with numbers between 0 <strong>and</strong> 2 n −1.<br />
Assume we have 8-bit integers. We can represent numbers from 0 to 255. Since 256 is not a prime, we can<br />
try the nearest smaller prime, which is 251. That means to use the field Z 251 . First, we have inefficient use of
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 41<br />
memory. Second, the fact that some numbers cannot appear (251 to 255) represents additional information for<br />
potential attacks.<br />
Assuming we do not use division in the encryption/decryption algorithms, we can try to use Z 2 n which is<br />
not a field. For n = 3, the multiplication table for Z 2 3 is shown below:<br />
× Z8 0 1 2 3 4 5 6 7<br />
0 0 0 0 0 0 0 0 0<br />
1 0 1 2 3 4 5 6 7<br />
2 0 2 4 6 0 2 4 6<br />
3 0 3 6 1 4 7 2 5<br />
4 0 4 0 4 0 4 0 4<br />
5 0 5 2 7 4 1 6 3<br />
6 0 6 4 2 0 6 4 2<br />
7 0 7 6 5 4 3 2 1<br />
On the other h<strong>and</strong>, the multiplication table for F 2 3, represented as Z 2 [x]/(x 3 + x + 1) is given below (each<br />
polynomial is represented as a number from 0 to 7 whose binary representation gives the coefficients):<br />
× F2 3<br />
0 1 2 3 4 5 6 7<br />
0 0 0 0 0 0 0 0 0<br />
1 0 1 2 3 4 5 6 7<br />
2 0 2 4 6 3 1 7 5<br />
3 0 3 6 5 7 4 1 2<br />
4 0 4 3 7 6 2 5 1<br />
5 0 5 1 4 2 7 3 6<br />
6 0 6 7 1 5 3 2 4<br />
7 0 7 5 2 1 6 4 3<br />
The distribution of numbers in the two tables is given below:<br />
integer 1 2 3 4 5 6 7<br />
occurrences for Z 8 4 8 4 12 4 8 4<br />
occurrences for F 2 3 7 7 7 7 7 7 7<br />
We can see a very uniform distribution for F 2 3 <strong>and</strong> very non-uniform for Z 8 . Such a distribution is very<br />
important for the security of a cryptosystem.<br />
Consequently, fields of the form F 2 n are attractive for cryptographic algorithms.<br />
6.7 Computational considerations in F 2 n<br />
Addition in F 2 n is simply bitwise xor since this is the addition of Z 2 .<br />
Multiplication is slightly more complicated. We show how it can be done efficiently in F 2 8 represented as<br />
Z 2 [x]/m(x), with m(x) = x 8 +x 4 +x 3 +x+1. (This is used in AES.) We notice that for f(x) = b 7 x 7 +b 6 x 6 +<br />
b 5 x 5 +b 4 x 4 +b 3 x 3 +b 2 x 2 +b 1 x+b 0 , we have<br />
xf(x) mod m(x) = (b 7 x 8 +b 6 x 7 +b 5 x 6 +b 4 x 5 +b 3 x 4 +b 2 x 3 +b 1 x 2 +b 0 x) mod m(x)<br />
= b 6 x 7 +b 5 x 6 +b 4 x 5 +b 3 x 4 +b 2 x 3 +b 1 x 2 +b 0 x+b 7 (x 4 +x 3 +x+1)<br />
Let us denote polynomial in F 2 3 as 8-bit blocks. Then<br />
{<br />
(b 6 b 5 b 4 b 3 b 2 b 1 b 0 0), if b 7 = 0,<br />
xf(x) =<br />
(b 6 b 5 b 4 b 3 b 2 b 1 b 0 0)⊕(00011011), if b 7 = 1.<br />
Therefore, multiplication will be done in two stages:<br />
- compute the multiplication with powers of x by repeating the above<br />
- xor the corresponding results<br />
The idea generalizes immediately to any F 2 n.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 42<br />
Example 6.11. We compute f(x)g(x) mod m(x) for f(x) = x 6 +x 4 +x 2 +x+1 <strong>and</strong> g(x) = x 7 +x+1. First,<br />
the powers of x:<br />
(01010111)(00000001) = (01010111)<br />
(01010111)(00000010) = (10101110)<br />
(01010111)(00000100) = (01011100)⊕(00011011)= (01000111)<br />
(01010111)(00001000) = (10001110)<br />
(01010111)(00010000) = (00011100)⊕(00011011)= (00000111)<br />
(01010111)(00100000) = (00001110)<br />
(01010111)(01000000) = (00011100)<br />
(01010111)(10000000) = (00111000)<br />
Next, we xor the results corresponding to 1, x, <strong>and</strong> x 7 . We get<br />
f(x)g(x) mod m(x) = (01010111)⊕(10101110)⊕(00111000)= (11000001)= x 7 +x 6 +1.<br />
□
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 43<br />
7 ADVANCED ENCRYPTION STANDARD<br />
7.1 The new st<strong>and</strong>ard<br />
The underlying algorithm, Rinjdael (by J. Daemen <strong>and</strong> V. Rijmen) was chosen by NIST as the new st<strong>and</strong>ard<br />
(to replace DES) in Oct 2000 out of 21 c<strong>and</strong>idate algorithms. The initial criteria used by NIST were:<br />
- security – effort required to cryptanalyze the algorithm<br />
- cost – computational efficiency<br />
- algorithm <strong>and</strong> implementation characteristics – flexibility, simplicity, etc.<br />
These criteria reduced the c<strong>and</strong>idates to 5. The second round of criteria contained:<br />
- general security – analysis by the cryptographic community<br />
- software implementations – variety of platforms <strong>and</strong> variation of speed with key size<br />
- restricted space environments – e.g., smart cards<br />
- hardware implementations<br />
- attacks on implementations – timing attacks <strong>and</strong> power analysis<br />
- encryption vs decryption – different alg or the same, timing differences<br />
- key agility – ability to change keys quickly <strong>and</strong> with little effort<br />
- other versatility <strong>and</strong> flexibility – support for other key sizes, block sizes, number of rounds<br />
- potential for parallelism<br />
7.2 Description of AES<br />
The overall structure of AES is shown in Fig. 5.1.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 44<br />
The possible parameters of AES are shown in the table below<br />
Key size (words/bytes/bits) 4/16/128 6/24/192 8/32/256<br />
Plaintext block size (words/bytes/bits) 4/16/128 4/16/128 4/16/128<br />
Number of rounds 10 12 14<br />
Round key size (words/bytes/bits) 4/16/128 4/16/128 4/16/128<br />
Exp<strong>and</strong>ed key size (words/bytes/bits) 44/176/1408 52/208/1664 60/240/1920<br />
Here are some of the main characteristics of AES:<br />
- input to encryption <strong>and</strong> decryption algorithms is a 128-bit block<br />
- the block is represented as a matrix of 16 bytes, ordered by columns<br />
- the block is copied to the state array which, at the end is copied into output matrix – see Fig 5.2(a)<br />
- the key is exp<strong>and</strong>ed into an array of 44 key schedule words – see Fig. 5.2(b)<br />
There are four stages in each round, except for the last. A single (complete) round is shown in Fig 5.3.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 45<br />
Before discussing the operations in a round in detail, we make some more comments on the overall structure<br />
of AES:<br />
- it is not a Feistel structure – it allows parallelism<br />
- the exp<strong>and</strong>ed key has 44 32-bit words <strong>and</strong> each round uses 4 words (128 bits)<br />
- each stage is easily reversible<br />
- the encryption <strong>and</strong> decryption algorithms are not the same<br />
- there are four stages in each round: Substitute Bytes, Shift Rows, Mix columns, <strong>and</strong> Add round key; the<br />
first three provide confusion, difussion <strong>and</strong> nonlinearity; security is provided by the xor with the round key<br />
We discussnext eachofthe four stages. AESuses arithmeticin the finite field F 2 8 representedasZ 2 [x]/m(x),<br />
for m(x) = x 8 +x 4 +x 3 +x+1.<br />
Substitute bytes<br />
This is a simple table lookup; see Fig 5.4(a). An AES S-box is a matrix of 16 by 16 bytes values. Each byte<br />
of state is mapped to a new value by taking the value in the S-box in the line given by the first four bits <strong>and</strong><br />
the column given by the last four bits.<br />
The S-box itself is constructed as follows:<br />
- it is initialized with all values for bytes in increasing order following the row order<br />
- each byte is mapped to its inverse in F 2 8<br />
- each byte (b 7 b 6 b 5 b 4 b 3 b 2 b 1 b 0 ) is modified according to the transformation<br />
⎡<br />
⎢<br />
⎣<br />
⎤<br />
b 0<br />
b 1<br />
b 2<br />
b 3<br />
b 4<br />
b 5<br />
⎥<br />
b 6<br />
⎦<br />
b 7<br />
⎡<br />
←<br />
⎢<br />
⎣<br />
1 0 0 0 1 1 1 1<br />
1 1 0 0 0 1 1 1<br />
1 1 1 0 0 0 1 1<br />
1 1 1 1 0 0 0 1<br />
1 1 1 1 1 0 0 0<br />
0 1 1 1 1 1 0 0<br />
0 0 1 1 1 1 1 0<br />
0 0 0 1 1 1 1 1<br />
⎤⎡<br />
⎥⎢<br />
⎦⎣<br />
⎤<br />
b 0<br />
b 1<br />
b 2<br />
b 3<br />
b 4<br />
b 5<br />
⎥<br />
b 6<br />
⎦<br />
b 7<br />
The S-box is designed to resist known attacks. There is low correlation between input <strong>and</strong> output bits. The<br />
output cannot be described as a simple mathematical function of the input. The S-box has no fix point or<br />
opposite fixed point. It is invertible but not its own inverse.<br />
⎡<br />
⊕<br />
⎢<br />
⎣<br />
1<br />
1<br />
0<br />
0<br />
0<br />
1<br />
1<br />
0<br />
⎤<br />
⎥<br />
⎦
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 46<br />
Below are the S-box <strong>and</strong> its inverse.<br />
S-box<br />
0 1 2 3 4 5 6 7 8 9 a b c d e f<br />
0 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76<br />
1 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0<br />
2 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15<br />
3 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75<br />
4 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84<br />
5 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf<br />
6 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8<br />
7 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2<br />
8 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73<br />
9 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db<br />
a e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79<br />
b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08<br />
c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a<br />
d 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e<br />
e e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df<br />
f 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16<br />
inverse S-box<br />
0 1 2 3 4 5 6 7 8 9 a b c d e f<br />
0 52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb<br />
1 7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb<br />
2 54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e<br />
3 08 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 25<br />
4 72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92<br />
5 6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84<br />
6 90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 06<br />
7 d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b<br />
8 3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73<br />
9 96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e<br />
a 47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b<br />
b fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4<br />
c 1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5f<br />
d 60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef<br />
e a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61<br />
f 17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d<br />
Here is an example of calculation for one position in the S-box. For position 01, we have ({01}) −1 = {01} =<br />
(00000001) <strong>and</strong> after transformation it becomes (01111100)= {7c}.<br />
Here is another one. We have {95} −1 = {8a} = (10001010). After transformation it becomes (00101010) =<br />
{2a}. Here is an example of SubBytes transformation:<br />
ea 04 65 85<br />
83 45 5d 96<br />
5c 45 5d 96<br />
f0 2d ad c5<br />
→<br />
87 f2 4d 97<br />
ec 6e 4c 90<br />
4a c3 46 e7<br />
8c d8 95 a6
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 47<br />
Shift row<br />
It is shown in Fig 5.5(a). The idea is to mix the columns of state such that the new state contains in each<br />
column bytes from all previous columns. Here is an example of Shift Row transformation:<br />
87 f2 4d 97<br />
ec 6e 4c 90<br />
4a c3 46 e7<br />
8c d8 95 a6<br />
→<br />
87 f2 4d 97<br />
6e 4c 90 ec<br />
46 e7 4a c3<br />
a6 8c d8 95<br />
Mix column<br />
It is defined by the transformation<br />
⎡<br />
⎢<br />
⎣<br />
⎤ ⎡<br />
s 00 s 01 s 02 s 03<br />
s 10 s 11 s 12 s 13<br />
⎥<br />
s 20 s 21 s 22 s 23<br />
⎦ ← ⎢<br />
⎣<br />
s 30 s 31 s 32 s 33<br />
02 03 01 01<br />
01 02 03 01<br />
01 01 02 03<br />
03 01 01 02<br />
⎤⎡<br />
⎥⎢<br />
⎦⎣<br />
⎤<br />
s 00 s 01 s 02 s 03<br />
s 10 s 11 s 12 s 13<br />
⎥<br />
s 20 s 21 s 22 s 23<br />
⎦<br />
s 30 s 31 s 32 s 33<br />
The idea is to ensure good mixing among the bytes of each column. In fact the above transformation is done<br />
independently on columns (as seen in Fig. 5.3) <strong>and</strong> is equivalent to the following (done for each column i = 0..3):<br />
⎡ ⎤ ⎡ ⎤⎡<br />
⎤<br />
s 0i 02 03 01 01 s 0i<br />
⎢ s 1i<br />
⎥<br />
⎣ s 2i<br />
⎦ ← ⎢ 01 02 03 01<br />
⎥⎢<br />
s 1i<br />
⎥<br />
⎣ 01 01 02 03 ⎦⎣<br />
s 2i<br />
⎦<br />
s 3i 03 01 01 02 s 3i<br />
One criterion in constructing the Mix column transformation this way was to maximize the number of active<br />
(non-zero) bytes in input <strong>and</strong> output together. Also, any linear relation between bytes of input <strong>and</strong> output<br />
involves at least 5 different bytes. The coefficients in the matrix aboveare chosen as small as possible to improve<br />
speed on 8-bit processors. Notice that the inverse mix column transformation uses the matrix<br />
⎡<br />
⎢<br />
⎣<br />
0e 0b 0d 09<br />
09 0e 0b 0d<br />
0d 09 0e 0b<br />
0b 0d 09 0e<br />
whose coefficients are larger <strong>and</strong> so more expensive to implement. However, encryption is more important than<br />
decryption because:<br />
- in the CFB <strong>and</strong> OFB modes only encryption is used,<br />
- AES can be used (like any block cipher) for message authentication codes, where also only encryption is<br />
used.<br />
Add round key<br />
This is simply a xor with the current round key; see Fig. 5.4(b). The operation is viewed as a column wise<br />
operation between the 4 bytes of a state column <strong>and</strong> one word of the round key. It can be viewed also as a<br />
byte-level operation.<br />
⎤<br />
⎥<br />
⎦
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 48<br />
Key expansion<br />
The key expansion algorithm is given below<br />
KeyExpansion Algorithm<br />
- given: the key key[16] with 16 bytes<br />
- computes: the exp<strong>and</strong>ed key word[44] with 44 words<br />
Algorithm<br />
1. for i from 0 to 3 do<br />
2. w[i] = (key[4i],key[4i+1],key[4i+2],key[4i+3])<br />
3. for i from 4 to 43 do<br />
4. temp = w[i−1]<br />
5. if i mod 4 = 0 then<br />
6. temp = SubWord(RotWord(temp))⊕Rcon[i/4]<br />
7. w[i] = w[i−4]⊕temp<br />
Some more details:<br />
- the key is copied in the first four words of the exp<strong>and</strong>ed key<br />
- the remainder of the exp<strong>and</strong>ed key is filled in four words at a time<br />
- each word w[i] depends on w[i−1] <strong>and</strong> w[i−4]<br />
- in three cases, a simple xor is performed<br />
- when i is a multiple of 4, a more complex function g is used:<br />
- RotWord is a one-byte circular left shift<br />
- SubWord is a byte substitution using the S-box<br />
- the result is then xored with a round constant Rcon[j] = (RC[j],0,0,0) where RC[1] = 1 <strong>and</strong> RC[i] =<br />
x RC[i−1] = x i−1 ; that is,<br />
j 1 2 3 4 5 6 7 8 9 10<br />
RC[j] 01 02 04 08 10 20 40 80 1b 36
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 49<br />
Here is an example of application of function g. If the round key for round 8 is<br />
ea d2 73 21 b5 8d ba d2 31 2b f5 60 7f 8d 29 2f<br />
then the first 4 bytes of the round key for round 9 are computed below<br />
i (decimal) temp RotWord SubWord Rcon[9] xor with Rcon w[i−4] w[i] = temp⊕w[i−4]<br />
36 7f8d292f 8d292f7f 5da515d2 1b000000 46a515d2 ead27321 ac7766f3<br />
The expansion key algorithm is design to resist to known attacks. The round-dependent round constant implies<br />
that the round key is differently generated in different rounds. Therefore, knowledge of part of cipher key or<br />
round key does not enable computing many other round keys.<br />
7.3 Decryption<br />
As seen above, the decryption algorithm is different from the encryption algorithm. We show here a decryption<br />
algorithm which has the same structure as the encryption algorithm. It is shown in Fig. 5.7.<br />
Two observations are needed to make it clear that the algorithm works as intended. First, Substitute Byte<br />
<strong>and</strong> ShiftRow are inversed <strong>and</strong> then interchanged. This is possible because<br />
InvShiftRow(InvSubBytes(s i )) = InvSubBytes(InvShiftRows(s i ))<br />
Second, when interchanging the inverses of AddRoundKey <strong>and</strong> InvMixColumns, we have to use<br />
InvMixColumns(s i ⊕w j ) = (InvMixColumns(s i ))⊕(InvMixColumns(w j )).<br />
This is true by the distributivity of ⊕. Notice that we have now the operation InvMixColumns twice; on<br />
state <strong>and</strong> on the round key.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 50<br />
8 MORE NUMBER THEORY<br />
...both Gauss <strong>and</strong> lesser mathematicians may be justified in rejoicing that there is one science<br />
[number theory] at any rate, <strong>and</strong> that their own, whose very remoteness from ordinary human<br />
activities should keep it gentle <strong>and</strong> clean.<br />
G. H. Hardy<br />
A Mathematician’s Apology, 1940<br />
G. H. Hardy would have been surprised <strong>and</strong> probably displeased with the increasing interest in<br />
number theory for applications to “ordinary human activities” such as information transmission <strong>and</strong><br />
cryptography.<br />
8.1 Complexity of arithmetic operations<br />
Neal Koblitz<br />
A Course in Number Theory <strong>and</strong> <strong>Cryptography</strong>, 1994<br />
- big-O notation<br />
- upper bound on the complexity (running time) of an algorithm in which constant factors are suppressed<br />
- formally, if f,g : Z → R, then f(n) = O(g(n)) iff there are c > 0 <strong>and</strong> n 0 ∈ Z such that 0 ≤ f(n) ≤ cg(n)<br />
for all n ≥ n 0<br />
- example: 2n 2 +100n−4000 = O(n 2 )<br />
- representations of integers<br />
- n in base 2 has ⌊log 2 n⌋+1 ≈ log 2 n bits<br />
- n in base b has ⌊log b n⌋+1 ≈ log b n digits<br />
- this is the size of the input<br />
- arithmetic operations<br />
- assume m is a k-bit integer <strong>and</strong> n is a l-bit integer with k ≤ l;<br />
- addition – m+n can be done in time O(l)<br />
- subtraction – m−n can be done in time O(l)<br />
- multiplication – m×n can be done in time O(lk)<br />
- long division – m/n (n = qm+r, q > 0,0 ≤ r ≤ m−1) can be done in time O(k(l−k)) which is O(kl)<br />
- modular arithmetic operations<br />
- assume n is a l-bit integer <strong>and</strong> 0 ≤ m 1 ,m 2 ≤ n−1<br />
- modular addition – (m 1 +m 2 ) mod n can be done in time O(l)<br />
- modular subtraction – (m 1 −m 2 ) mod n can be done in time O(l)<br />
- modular multiplication – (m 1 m 2 ) mod n can be done in time O(l 2 )<br />
- greatest common divisor<br />
- computed by the Euclidean algorithm<br />
- complexity: number of iterations is O(logr 0 ) so, total time is O(log 3 r 0 ) (proof idea: for any i, we have<br />
2r i+2 < r i )<br />
- multiplicative inverses<br />
- computed by the Extended Euclidean algorithm<br />
- complexity: O(log 3 n)<br />
8.2 The Chinese remainder theorem<br />
- a method for solving systems of congruences
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 51<br />
Theorem 8.1 (Chinese Remainder Theorem). If m 1 ,...,m r are pairwise relatively prime positive integers <strong>and</strong><br />
a 1 ,...,a r are integers, then the system<br />
⎧<br />
x ≡ a 1 (mod m 1 )<br />
⎪⎨ x ≡ a 2 (mod m 2 )<br />
⎪⎩<br />
.<br />
x ≡ a r (mod m r )<br />
has a unique solution modulo M = m 1 m 2···m r , given by<br />
x =<br />
r∑<br />
a i M i y i mod M,<br />
i=1<br />
where M i = M m i<br />
<strong>and</strong> y i = M −1<br />
i mod m i ,1 ≤ i ≤ r.<br />
Proof. Assume x as given. For any 1 ≤ i,j ≤ r,i ≠ j, we have m i | M j <strong>and</strong> so a i M i y i ≡ 0 (mod m j ). But<br />
a j M j y j ≡ a j (mod m j ) by the definition of y j . Thus, x is a solution.<br />
The uniqueness modulo M follows from the fact that m i ’s are relatively primes. Indeed, if there are two<br />
solutions x <strong>and</strong> x ′ , then x <strong>and</strong> x ′ must be congruent modulo M because of the property 4 of congruences (see<br />
section 2.4). (Notice that the uniqueness follows also by a counting argument.)<br />
□<br />
Complexity (for computing a solution): O(rlog 3 M)<br />
Example 8.2. Consider the system<br />
⎧<br />
⎨<br />
⎩<br />
x ≡ 5 (mod 7)<br />
x ≡ 3 (mod 11)<br />
x ≡ 10 (mod 13)<br />
We have here: a 1 = 5, a 2 = 3, a 3 = 10 <strong>and</strong> m 1 = 7, m 2 = 11, m 3 = 13. We compute M = 1001, M 1 = 143,<br />
M 2 = 91, M 3 = 77 <strong>and</strong> then y 1 = 5, y 2 = 4, y 3 = 12. The solution will be x = 13907 mod 1001 = 894. □<br />
Remark 8.3. Consider the function χ : Z M → Z m1 × ··· × Z mr , defined by χ(x) = (x mod m 1 ,··· ,x<br />
mod m r ). The Chinese Remainder Theorem is equivalent to proving that χ is a bijection. In particular, this<br />
means we can represent numbers in Z M (which can be very large in practice) as tuples of their remainders<br />
modulo m i ,1 ≤ i ≤ r, (which are much smaller). This is called modular representation.<br />
Example 8.4. This example shows the above bijection C. Consider r = 2, m 1 = 5, m 2 = 3. We have then<br />
M = 15 <strong>and</strong> the values of C are:<br />
χ(0) = (0,0)<br />
χ(3) = (3,0)<br />
χ(6) = (1,0)<br />
χ(9) = (4,0)<br />
χ(12) = (2,0)<br />
χ(1) = (1,1)<br />
χ(4) = (4,1)<br />
χ(7) = (2,1)<br />
χ(10) = (0,1)<br />
χ(13) = (3,1)<br />
χ(2) = (2,2)<br />
χ(5) = (0,2)<br />
χ(8) = (3,2)<br />
χ(11) = (1,2)<br />
χ(14) = (4,2)<br />
Example 8.5. This example shows how large numbers can be manipulated using their modular representation<br />
as above. Consider r = 2, m 1 = 37, m 2 = 49. We have then M = 1813. The representations of the numbers<br />
973 <strong>and</strong> 678 are<br />
χ(678) = (678 mod 37,678 mod 49) = (12,41),<br />
χ(973) = (973 mod 37,973 mod 49) = (11,42).<br />
If we want to add or multiply then we work on each position in the tuples:<br />
χ(678+973) = (12+11 mod 37,41+42 mod 49) = (23,34),<br />
χ(678×973) = (12×11 mod 37,41×42 mod 49) = (14,32).<br />
□<br />
□
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 52<br />
8.3 The theorems of Fermat <strong>and</strong> Euler<br />
Theorem 8.6 (Fermat’s Little Theorem). If p is a prime, then, for any integer a such that p ∤ a, we have<br />
a p−1 ≡ 1 (mod p).<br />
Proof. We first prove that<br />
{0a mod p,1a mod p,...,(p−1)a mod p} = {0,1,...,p−1}.<br />
Indeed, if ia ≡ ja (mod p), then p | (i−j)a hence i = j.<br />
Therefore, (p−1)!a p−1 ≡ (p−1)! (mod p). Since (p−1)! is not divisible by p, we have that p | (a p−1 −1),<br />
as claimed.<br />
□<br />
Corollary 8.7. If p is a prime <strong>and</strong> a is an integer, then a p ≡ a (mod p).<br />
Euler’s theorem is a generalization. Fermat’s is obtained for m prime. We shall need a lemma.<br />
Lemma 8.8. If gcd(m,n) = 1, then φ(mn) = φ(m)φ(n).<br />
Proof. The Chinese Remainder Theorem shows that there is a 1-to-1 correspondence between the numbers<br />
i,0 ≤ i ≤ mn − 1 which are relatively prime with mn <strong>and</strong> the pairs (i 1 ,i 2 ) such that 0 ≤ i 1 ≤ m − 1,<br />
0 ≤ i 2 ≤ n−1, <strong>and</strong> i 1 is relatively prime with m, i 2 is relatively prime with n. □<br />
Note: Using Lemma 8.8 we can prove the formula for Euler’s function (Theorem 2.5).<br />
Theorem 8.9 (Euler’s Theorem). If gcd(a,m) = 1, then a φ(m) ≡ 1 (mod m).<br />
Proof. The case of prime powers m = p k , p prime, k ≥ 1. Induction on k. k = 1 is Fermat’s Little Theorem.<br />
Assume it for k −1 <strong>and</strong> prove it for k. We have a φ(pk−1) ≡ 1 (mod p k−1 ) <strong>and</strong> so a pk−1 −p k−2 = 1+p k−1 b, for<br />
some integer b. Then, raising at power p, we get a pk −p k−1 = 1+p k c, for some integer c.<br />
For arbitrary m = p k1<br />
1 pk2 2 ...pkr r , we use the result for prime powers <strong>and</strong> property 4 of congruences (see<br />
section 2.4).<br />
□<br />
Note: Euler’s theorem can also be proved the same way we proved Fermat’s theorem. Consider the elements<br />
which are smaller then m <strong>and</strong> relatively prime with m, say x 1 ,x 2 ,...,x φ(m) . Then {ax i mod m | 1 ≤ i ≤<br />
φ(m)} = {x i | 1 ≤ i ≤ φ(m)} <strong>and</strong> the reasoning continues similarly.<br />
8.4 Cyclic groups <strong>and</strong> primitive elements<br />
Theorem 8.10 (Langrange’s Theorem). If G is a finite group <strong>and</strong> H is a subgroup of G, then |H| | |G|.<br />
Proof. A coset of H is xH for x ∈ G. It is easy to see that two cosets are either identical or disjoint. Since<br />
the cardinality of any coset is |H|, we get that G is a disjoint union of |H|-element sets. The claim follows. □<br />
Note: Because Z ∗ n is a multiplicative group of order φ(n), Lagrange’s theorem implies Euler’s theorem.<br />
If G is a multiplicative group <strong>and</strong> g ∈ G, then the order of g is the smallest m such that g m = 1; it is<br />
denoted ord(g). We have that 〈g〉 = {g i | 0 ≤ i ≤ ord(g)−1} is a subgroup of G.<br />
Corollary 8.11. If G is a multiplicative group of order n <strong>and</strong> g ∈ G, then ord(g) | n.<br />
A - cyclic group is a group G having an element of order |G|; such an element is called a generator or<br />
primitive element of G. When G = Z p , it is also called primitive root.<br />
Lemma 8.12. If α ∈ Z ∗ n <strong>and</strong> i ≥ 1, then ord(αi ) =<br />
ord(α)<br />
gcd(ord(α),i) .<br />
Proof. The order of α i is the smallest positive k such that ik is a multiple of ord(α). That is, ik is both a<br />
multiple of i <strong>and</strong> ord(α), so it should be that ik = lcm(ord(α),i). We get k =<br />
□<br />
ord(α)<br />
gcd(ord(α),i) .<br />
Theorem 8.13. If p is prime, then Z ∗ p is a cyclic group. The number of primitive elements modulo p is φ(p−1).
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 53<br />
Proof (sketch). Assume a is an element of order d of Z ∗ p. Then d | p−1. Also, all element a,a 2 ,...,a d = 1<br />
are distinct <strong>and</strong> are all of the roots of the equation x d = 1. Therefore, all elements of order d are powers of a.<br />
Also, by the previous lemma, a power a j has order d iff gcd(d,j) = 1. Thus, if there is an element of order d,<br />
then there are exactly φ(d) elements of order d.<br />
Every element has some order which divides p−1. Since ∑ d|p−1 φ(d) = p−1 = |Z∗ p |, it must be that there<br />
are always φ(d) elements of order d (<strong>and</strong> never 0).<br />
In particular, there are φ(p−1) elements of order p−1.<br />
□<br />
Example 8.14. For p = 13, there should be φ(13−1) = 4 primitive elements modulo 13. Let us compute all<br />
powers of 2 modulo 13:<br />
2 0 mod 13 = 1<br />
2 1 mod 13 = 2<br />
2 2 mod 13 = 4<br />
2 3 mod 13 = 8<br />
2 4 mod 13 = 3<br />
2 5 mod 13 = 6<br />
2 6 mod 13 = 12<br />
2 7 mod 13 = 11<br />
2 8 mod 13 = 9<br />
2 9 mod 13 = 5<br />
2 10 mod 13 = 10<br />
2 11 mod 13 = 7<br />
We can see that 2 is a primitive element modulo 13. Also, 2 i is primitive if <strong>and</strong> only if gcd(1,12) = 1; that<br />
happens for i = 1,5,7,11. Therefore the primitive elements modulo 13 are 2,6,7,11.<br />
□<br />
Example 8.15. Let us compute all powers of all elements of Z ∗ 19.<br />
x x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18<br />
1<br />
2 4 8 16 13 7 14 9 18 17 15 11 3 6 12 5 10 1<br />
3 9 8 5 15 7 2 6 18 16 10 11 14 4 12 17 13 1<br />
4 16 7 9 17 11 6 5 1<br />
5 6 11 17 9 7 16 4 1<br />
6 17 7 4 5 11 9 16 1<br />
7 11 1<br />
8 7 18 11 12 1<br />
9 5 7 6 16 11 4 17 1<br />
10 5 12 6 3 11 15 17 18 9 14 7 13 16 8 4 2 1<br />
11 7 1<br />
12 11 18 7 8 1<br />
13 17 12 4 14 11 10 16 18 6 2 7 15 5 8 9 3 1<br />
14 6 8 17 10 7 3 4 18 5 13 11 2 9 12 16 15 1<br />
15 16 12 9 2 11 13 5 18 4 3 7 10 17 8 6 14 1<br />
16 9 11 5 4 7 17 6 1<br />
17 4 11 16 6 7 5 9 1<br />
18 1<br />
We have ord(4) = 9 <strong>and</strong> ord(4 5 ) =<br />
9<br />
gcd(9,5) = 9, ord(43 )(= ord(7)) =<br />
9<br />
gcd(9,3) = 3.<br />
Also, there should be φ(18) = 6 primitive elements; those are 2,3,10,13,14,15.<br />
It might take very long to verify all powers of a number to check whether it is primitive or not. Here is a<br />
better way.<br />
Theorem 8.16. Let p be a prime <strong>and</strong> α ∈ Z ∗ p. Then α is primitive iff α (p−1)/q ≢ 1 (mod p) for all primes<br />
q | (p−1).<br />
Proof. If α is primitive, then α i ≢ 1, for all 1 ≤ i ≤ p−2.<br />
Conversely, assume α is not primitive <strong>and</strong> let d be its order. By Lagrange’s theorem, d | (p−1) <strong>and</strong>, since<br />
α is not primitive, d < p − 1. Thus (p − 1)/d > 1 <strong>and</strong> let q be a prime divisor of (p − 1)/d. We have then<br />
α (p−1)/q ≡ 1 (mod p).<br />
□<br />
□
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 54<br />
Example 8.17. For p = 13, in order to see that 2 is primitive modulo 13, we need only to check that 2 6 ≢ 1<br />
(mod 13) <strong>and</strong> 2 4 ≢ 1 (mod 13).<br />
For p = 19, we see that x ∈ Z ∗ 19 is primitive by verifying that x 6 ≢ 1 (mod 19) <strong>and</strong> x 9 ≢ 1 (mod 19); see<br />
the above table.<br />
□<br />
8.5 Discrete logarithms<br />
Given a group (G,·) <strong>and</strong> an element α ∈ G such that ord(α) = n, we have that 〈α〉 = {α i | 0 ≤ i ≤ n−1} is a<br />
subgroup of G. Therefore, for each β ∈ 〈α〉, there is a unique a such that α a = β; this is called the logarithm<br />
of β in base α.<br />
A particular case of this is G = Z p , p prime, <strong>and</strong> α a primitive element modulo p. This a is denoted log α (β)<br />
(logarithm of β in base α modulo p) or ind α,p (β) (the index of β for the base α modulo p).<br />
Example 8.18. For p = 19 <strong>and</strong> α = 3, we have that log 3 (5) = 4 <strong>and</strong> log 3 (12) = 15.<br />
□<br />
Discrete Logarithm Problem (discretelog)<br />
- given: p a prime, α ∈ Z ∗ p primitive, β ∈ Z∗ p<br />
- compute: log α β = a,0 ≤ a ≤ p−2 such that α a ≡ β (mod p)
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 55<br />
9 PUBLIC-KEY CRYPTOGRAPHY AND RSA<br />
9.1 The idea of public keys<br />
In the classicalmodelofcryptographywestudied sofar, Alice <strong>and</strong> BobsecretlychooseakeyK. Both encryption<br />
<strong>and</strong> decryptionalgorithms, e K <strong>and</strong> d K , arederivedfrom this key. So, they haveto meet priorto communicating,<br />
which is a major drawback; this is called the key management problem.<br />
The idea behind public-key cryptography is to find ciphers where it is computationally infeasible to find d K<br />
from e K . If so, then the encryption key (Bob’s), called public key, can be made public. Thus, anyone can send<br />
messages to Bob without prior communication <strong>and</strong> only Bob can decrypt because only he knows the private<br />
key d K .<br />
The idea of public-key systems was developed by Diffie <strong>and</strong> Hellman in 1976. It is depicted in Fig. 9.1(a).<br />
(Figure 9.1(b) shows a different way of using it to provide authentication.) It is the most important change in<br />
the history of cryptography. Each party has two keys, one public <strong>and</strong> one private. Either key can be used for<br />
encryption <strong>and</strong> the other one will be used for decryption. The first realization 1 of a public-key system was RSA<br />
by Rivest, Shamir, <strong>and</strong> Adleman in 1977.<br />
1 Diffie <strong>and</strong> Hellman were the first to make public the ideas behind public-key cryptography <strong>and</strong> RSA was the first realization<br />
of these ideas which was made public. The idea of public-key cryptography was claimed to have been discovered first by NSA in<br />
mid-1960s. The first documented introduction of these concepts happened in 1970 in a classified report by James Ellis from CESG<br />
(Communication-Electronics <strong>Security</strong> Group) of the GCHQ (British Government Headquarters). Also included in the report was<br />
a paper by Clifford Cocks which described a cipher which is essentially the same as RSA.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 56<br />
Notice that unconditional security is impossible here. Oscar, having y, simply tries x’s until he finds the<br />
unique one with e K (x) = y; K is the public key. Therefore, we study computational security. It should be<br />
computationally infeasible to determine the private key given the public one.<br />
The basic tools are one-way functions <strong>and</strong> trapdoor one-way functions. Notice that there are no provable<br />
one-way function known.<br />
Two important comments:<br />
- public-key encryption is not more secure than symmetric encryption, just different<br />
-public-keysystemsaremuchslowerthansymmetricones<strong>and</strong>thereforethey arenotreplacingthe symmetric<br />
ones; the public-key ciphers are used for key management <strong>and</strong> signatures.<br />
9.2 The RSA cryptosystem<br />
The RSA Cryptosystem<br />
P = C = Z n ; n = pq, p,q odd primes<br />
K = {(n,p,q,a,b) | n = pq,p,q primes ,ab ≡ 1 (mod φ(n))}.<br />
public: n,b<br />
private: p,q,a<br />
encryption: e K (x) = x b mod n<br />
decryption: d K (y) = y a mod n<br />
Note: φ(n) = (p−1)(q −1)<br />
Let us prove the correctness of RSA. Since ab ≡ 1 (mod φ(n)), there is an integer t ≥ 1 such that ab =<br />
tφ(n)+1. If x ∈ Z ∗ n , then y a ≡ (x b ) a (mod n)<br />
≡ x tφ(n)+1 (mod n)<br />
≡ (x φ(n) ) t x (mod n)<br />
≡ 1 t x (mod n)<br />
≡ x (mod n)<br />
If x ∈ Z n −Z ∗ n, then either x = 0 or x is divisible by p or q but not both. x = 0 is clear. Assume p | x. Then<br />
obviously x ab ≡ x (mod p). Also, as above, x ab ≡ x (mod q). By property 4 of congruences (see section 2.4),<br />
we are done.<br />
Example 9.1. Assume Bob chooses p = 101 <strong>and</strong> q = 113. Then n = 11413 <strong>and</strong> φ(n) = 11200 = 2 6 5 2 7. An<br />
integer b can be used as encryption exponent iff b is not divisible by 2, 5, or 7. (In practice, Bob will not factor<br />
φ(n) but just verify that gcd(b,φ(n)) = 1 <strong>and</strong> compute b −1 mod φ(n) at the same time.) Assume Bob chooses<br />
b = 3533. Then the private decryption exponent is a = b −1 mod 11200 = 6597. Bob publishes n = 11413 <strong>and</strong><br />
b = 3533 in a directory.<br />
Now suppose Alice wants to encrypt the plaintext 9726 <strong>and</strong> send it to Bob. Then she computes<br />
9726 3533 mod 11413 = 5761<br />
<strong>and</strong> sends it to Bob. Bob receives the ciphertext 5761 <strong>and</strong> <strong>and</strong> computes<br />
that is, the plaintext.<br />
9.3 RSA security<br />
5761 6597 mod 11413= 9726,<br />
The security of RSA is based on two one-way functions:<br />
- modular exponentiation (difficult problem: discrete logarithm)<br />
- multiplication of primes (difficult problem: factoring)<br />
- trapdoor: p <strong>and</strong> q; Bob can compute φ(n) = (p−1)(q −1) <strong>and</strong> so the decryption exponent a<br />
□
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 57<br />
9.4 Implementation<br />
Setting up RSA<br />
1. Bob generates two large primes p <strong>and</strong> q<br />
2. Bob computes n = pq <strong>and</strong> φ(n) = (p−1)(q −1)<br />
3. Bob chooses a r<strong>and</strong>om b,1 < b < φ(n), such that gcd(b,φ(n)) = 1<br />
4. Bob computes a = b −1 mod φ(n) using the extended Euclidean alg.<br />
5. Bob publishes n <strong>and</strong> b in a directory as his public key<br />
Current factorization algorithms are able to factor numbers up to 155 decimal digits, which means 512 bits.<br />
Therefore, p <strong>and</strong> q should be primes of approximately 512 bits each such that n will have 1024 bits.<br />
We have to be able to find reasonably fast large primes. The Prime number theorem says that the<br />
number of primes smaller than N is approximately N/lnN. Thus, the probability that p r<strong>and</strong>omly chosen<br />
between 1 <strong>and</strong> N be a prime is 1/lnN; if p is chosen odd then this probability becomes 2/lnN. For 512 bit<br />
primes, that means 2/ln2 512 ≈ 2/355. That is, on average,one out of 178 r<strong>and</strong>om 512 bit odd integers is prime.<br />
We shall guess <strong>and</strong> verify; choose a r<strong>and</strong>om number <strong>and</strong> test whether it is a prime. We shall have probable<br />
prime but with very high probability.<br />
We shall need also efficient encrypting <strong>and</strong> decrypting. That is, we have to be able to do fast modular<br />
exponentiation (by repeated modular multiplication, we need for x c mod n, c − 1 modular multiplications,<br />
which is very inefficient if c is large; c can be as large as φ(n)−1 which is exponential).<br />
9.5 Fast modular exponentiation<br />
Square-<strong>and</strong>-multiply algorithm<br />
- given: n, x, b (b is assumed in base 2, b = ∑ l−1<br />
i=0 b i2 i )<br />
- computes: x b mod n<br />
Algorithm:<br />
1. z = 1<br />
2. for i = l−1 downto 0 do<br />
3. z = z 2 mod n<br />
4. if b i = 1 then z = zx mod n<br />
Complexity: O(k 3 ), where k = ⌊log 2 n⌋+1<br />
Example 9.2. Assume, from the previous example, that n = 11413 <strong>and</strong> b = 3533. Alice wants to encrypt 9726<br />
so she has to compute 9726 3533 mod 11413. The computation, using the Square-<strong>and</strong>-Multiply algorithm,<br />
is shown below. The ciphertext is 5761.<br />
□<br />
i b i<br />
z<br />
11 1 1 2 = 9726<br />
10 1 9726 2 ×9726 = 2659<br />
9 0 2659 2 = 5634<br />
8 1 5634 2 ×9726 = 9167<br />
7 1 9167 2 ×9726 = 4958<br />
6 1 4958 2 ×9726 = 7783<br />
5 0 7783 2 = 6298<br />
4 0 6298 2 = 4629<br />
3 1 4629 2 ×9726 = 10185<br />
2 1 10185 2 ×9726 = 105<br />
1 0 105 2 = 11025<br />
0 1 11025 2 ×9726 = 5761
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 58<br />
Remark 9.3. In practice, the exponentiation in RSA can be done faster. Assume we need to compute x e<br />
mod n. We shall compute e p = e mod (p−1) <strong>and</strong> e q = e mod (q−1). Then, we compute x ep mod p <strong>and</strong> x eq<br />
mod q. The number we look for, x e mod n is the unique solution z of the system<br />
{ z ≡ x<br />
e p<br />
(mod p)<br />
z ≡ x eq<br />
(mod q).<br />
The exponentiation with a k-bit exponent requires at most 2k multiplications <strong>and</strong> squarings. (Expected<br />
(3/2)k.) Then, if p <strong>and</strong> q have t bits each, computing x e mod n will take approx 2(2t) 3 bit operations. The<br />
proposed variant takes only 2·2t 3 bit operations, which means it is 4 times faster.<br />
Notice also that a system of two modular equations can be solved easier than usual. Consider the system<br />
{ x ≡ a1 (mod p)<br />
x ≡ a 2 (mod q)<br />
It has the solution x = (a 1 +p(a 2 −a 1 )(p −1 mod q)) mod (pq).<br />
Still, if we compare the fastest hardware implementations for RSA <strong>and</strong> DES we see that symmetric ciphers<br />
are much faster than public-key ciphers. For instance, RSA can encrypt approx. 600Kbit per second (with a<br />
512 bit modulus n; i.e., about 154 decimal digits; log 2 10 = 3.3219809...) while DES can encrypt approx. 1 Gbit<br />
per second. That is, DES is 1500 times faster!<br />
9.6 Complexity<br />
Given two problems P 1 <strong>and</strong> P 2 . We say that P 1 is polynomial-time reducible to P 2 , denoted P 1 ≤ P P 2 , iff<br />
a polynomial-time algorithm for P 2 gives a polynomial-time algorithm for P 1<br />
- that is, P 2 is at least as difficult as P 1<br />
If P 1 ≤ P P 2 <strong>and</strong> P 2 ≤ P P 1 , then P 1 <strong>and</strong> P 2 are called computationally equivalent.<br />
RSA Problem (rsap)<br />
- given: (n,b,y), n a product of two primes p <strong>and</strong> q, b a positive integer with gcd(b,(p−1)(q−1)) = 1, <strong>and</strong><br />
y an integer<br />
- compute: x an integer such that x b ≡ y (mod n)<br />
Factoring Problem (factoring)<br />
- given: n a positive integer<br />
- compute: n = p e1<br />
1 pe2 2 ...pe k<br />
k<br />
its prime factorization<br />
Theorem 9.4. rsap ≤ P factoring.<br />
Conjecture 9.5. factoring ≤ P rsap. This means rsap <strong>and</strong> factoring are computationally equivalent.<br />
9.7 R<strong>and</strong>omized algorithms<br />
In some very real sense, computation is inherently r<strong>and</strong>omized. It can be argued that the probability<br />
that a computer will be destroyed by a meteorite during any given microsecond of its operation is<br />
at least 2 −100 .<br />
Christos Papadimitriou<br />
Computational Complexity
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 59<br />
- decision problem – a problem with yes/no answer<br />
- deterministic algorithm – no choice during computation – answer is yes or no<br />
- for a given input, the algorithm has the same execution path whenever it is run<br />
- P – problems solvable by deterministic algorithms running in polynomial time<br />
- nondeterministic algorithm – choices during computation – many answers; at least one positive answer<br />
means yes<br />
- guess <strong>and</strong> verify<br />
- NP – problems solvable by nondeterministic algorithms running in polynomial time<br />
- coNP – complements of those in NP<br />
- NP-complete – the hardest problems in NP; if any of those can be solved in polynomial time, then<br />
all in NP can (there are thous<strong>and</strong>s of NP-complete problems which are believed to have no deterministic<br />
polynomial-time algorithms)<br />
- r<strong>and</strong>omized algorithm – r<strong>and</strong>om choices<br />
- the execution path may differ each time the algorithm is run on the same input<br />
- Monte Carlo algorithms<br />
- the yes answers are always correct while the no answers might be incorrect<br />
- (no false positives; yes-biased)<br />
- the probability of false negatives is at most 1 2<br />
- the complexity classofproblemswith polynomial-time MonteCarloalgorithmsis denoted RP(r<strong>and</strong>omized<br />
polynomial time)<br />
- Las Vegas algorithms<br />
- the answer is always correct but there might be no answer<br />
- the complexity class of problems with polynomial-time Las Vegas algorithms is denoted ZPP (zero probability<br />
of error)<br />
- ZPP = RP ∩ coRP<br />
Atlantic City algorithms<br />
- the probability of right answer is larger than the probability of error<br />
- complexity class BPP (bounded probability of error)<br />
Theorem 9.6. P ⊆ ZPP ⊆ RP ⊆ BPP ∩ NP<br />
coNP<br />
NP<br />
NP-complete<br />
coRP<br />
ZPP<br />
RP<br />
BPP=coBPP<br />
P<br />
Figure 11: Complexity classes
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 60<br />
9.8 Primality tests<br />
Composites Problem (composites)<br />
- given: n a positive integer<br />
- compute: whether n is composite or not<br />
Assume p is an odd prime. An integer x is called a quadratic residue modulo p if x ≢ 0 (mod p) <strong>and</strong> the<br />
congruence y 2 ≡ x (mod p) has a solution in Z p . x is a quadratic non-residue if x ≢ 0 (mod p) <strong>and</strong> x is not<br />
a quadratic residue modulo p.<br />
If p is prime <strong>and</strong> a is a quadratic residue modulo p, then the equation x 2 ≡ a (mod p) has exactly two<br />
solutions (square roots of a modulo p). Indeed, put a ≡ y 2 (mod p). Then x 2 ≡ y 2 (mod p) <strong>and</strong> so p |<br />
(x−y)(x+y) <strong>and</strong> hence x = ±y.<br />
Theorem 9.7 (Euler’s criterion). Let p be an odd prime. Then x is a quadratic residue modulo p iff<br />
Proof. If x ≡ y 2 (mod p), then<br />
x (p−1)/2 ≡ 1 (mod p).<br />
x (p−1)/2 ≡ (y 2 ) (p−1)/2)<br />
(mod p) ≡ y p−1 (mod p) ≡ 1 (mod p).<br />
Conversely, let b be a primitive element modulo p <strong>and</strong> x ≡ b i (mod p), for some i. We have<br />
1 ≡ x (p−1)/2 (mod p) ≡ (b i ) (p−1)/2 (mod p) ≡ b i(p−1)/2 (mod p).<br />
Now p−1 = ord(b) must divide i(p−1)/2 hence i is even <strong>and</strong> ±b i/2 are the square roots of x.<br />
□<br />
Quadratic Residues Problem (quadratic residues)<br />
- given: p <strong>and</strong> odd prime <strong>and</strong> x an integer 1 ≤ x ≤ p−1<br />
- compute: whether x is a quadratic residue modulo p or not<br />
Algorithm: use Euler’s criterion<br />
Complexity: O(logp) 3<br />
The Legendre symbol, denoted ( a<br />
p)<br />
, is defined, for p an odd prime <strong>and</strong> a ≥ 0 by<br />
⎧<br />
( a<br />
⎪⎨ 0 if a ≡ 0 (mod p)<br />
= 1 if a is a quadratic residue modulo p<br />
p)<br />
⎪⎩<br />
−1 if a is a quadratic non-residue modulo p<br />
Theorem 9.8. If p is an odd prime, then<br />
( a<br />
≡ a<br />
p)<br />
(p−1)/2 (mod p).<br />
Proof. We have seen in Theorem 9.7 that a is a quadraticresidue modulo p iff a (p−1)/2 ≡ 1 (mod p). Clearly,<br />
a (p−1)/2 ≡ 0 (mod p) iff a ≡ 0 (mod p). Then, if a is a quadratic non-residue modulo p, then a (p−1)/2 ≡ −1<br />
(mod p) since a p−1 ≡ 1 (mod p) <strong>and</strong> a (p−1)/2 ≢ 1 (mod p).<br />
□<br />
We define next a generalization of the Legendre symbol which works for all integers (not necessarily primes).<br />
The Jacobi symbol, denoted ( a<br />
n)<br />
, for n an odd positive integer <strong>and</strong> a ≥ 0 is defined as follows. Assuming<br />
n = p e1<br />
1 pe2 2 ...pe k<br />
k<br />
is the prime factorization of n, then<br />
( a<br />
k∏<br />
( ) ei<br />
a<br />
=<br />
n)<br />
p i<br />
i=1
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 61<br />
Example 9.9. Consider the Jacobi symbol ( 6278<br />
9975)<br />
. Because 9975 = 3×5 2 ×7×19, we have<br />
( ) ( )( ) 2 ( )( ) ( )( ) 2 ( )( 6278 6278 6278 6278 6278 2 3 6 8<br />
=<br />
=<br />
= (−1)(−1)<br />
9975 3 5 7 19 3 5 7 19)<br />
2 (−1)(−1) = −1.<br />
We shall need to be able to compute the Jacobi symbol <strong>and</strong>, fortunately, we don’t have to factorize n. The<br />
properties below help us do this; n is assumed to be an odd integer:<br />
1. if m 1 ≡ m 2 (mod n) then ( m 1<br />
) (<br />
n =<br />
m2<br />
)<br />
n<br />
2. ( {<br />
)<br />
2<br />
1 if n ≡ ±1 (mod 8)<br />
n =<br />
−1 if n ≡ ±3 (mod 8)<br />
3. ( ) (<br />
m 1m 2<br />
n =<br />
m1<br />
)(<br />
m2<br />
)<br />
n n ;<br />
- in particular, if m = 2 k t, t odd, then ( (<br />
m<br />
n)<br />
=<br />
2 k ( t<br />
)<br />
n)<br />
n<br />
4. if m,n are odd, then ( )<br />
m<br />
{− ( )<br />
n<br />
n =<br />
m<br />
if m ≡ n ≡ 3 (mod 4)<br />
( n<br />
m)<br />
otherwise<br />
The complexity of this algorithm is O((logn) 3 ).<br />
Example 9.10. We evaluate below the Jacobi symbol<br />
( ) 7411<br />
9283<br />
( ) 9283<br />
= −<br />
( 7411)<br />
1872<br />
= −<br />
7411<br />
( ) 4 ( ) 2 117<br />
= −<br />
( 7411)<br />
7411<br />
117<br />
= −<br />
( 7411)<br />
7411<br />
= −<br />
117<br />
(property 4)<br />
(property 1)<br />
(property 3)<br />
(property 2)<br />
(property 4)<br />
( ) 7411<br />
.<br />
9283<br />
( ) 40<br />
= −<br />
117<br />
( ) 3 ( ) 2 5<br />
= −<br />
( 117 ) 117<br />
5<br />
=<br />
( 117)<br />
117<br />
=<br />
( 5<br />
2<br />
=<br />
5)<br />
(property 1)<br />
(property 3)<br />
(property 2)<br />
(property 4)<br />
(property 1)<br />
= −1 (property 2) □<br />
Suppose now n > 1 is odd. If n is prime, then ( a<br />
n)<br />
≡ a (n−1)/2 (mod n), for any a. On the other h<strong>and</strong>, if n<br />
is composite, it may or may not be the case that ( a<br />
n)<br />
≡ a (n−1)/2 (mod n). If this congruence holds, then n is<br />
called an Euler pseudoprime to the base a. For instance, 91 is an Euler pseudoprime to the base 10.<br />
It can be shown that, for any odd composite n, n is Euler pseudoprime to the base a for at most half of the<br />
integers a ∈ Z ∗ n . Also, ( a<br />
n)<br />
= 0 iff gcd(a,n) > 1, which means, in the case 1 ≤ a ≤ n−1, that n is composite.<br />
Solovay-Strassen Primality Test<br />
- given: n an odd integer<br />
- computes: whether n is prime (probable) or composite (sure)<br />
Algorithm:<br />
1. choose a r<strong>and</strong>om integer a,1 ≤ a ≤ n−1<br />
2. x ← ( )<br />
a<br />
n<br />
3. if x = 0 then<br />
4. return (“n is composite”)<br />
5. y ← a (n−1)/2 mod n<br />
6. if x ≡ y (mod n) then<br />
7. return (“n is prime”)<br />
8. else<br />
9. return (“n is composite”)<br />
Complexity: O((logn) 3 )<br />
□
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 62<br />
By the above discussion we have the following theorem.<br />
Theorem 9.11. The Solovay-Strassen is a yes-biased Monte Carlo algorithm for Composites with probability<br />
of error 1/2.<br />
Notice that the probability of interest for us is<br />
lnn−2<br />
Prob(n odd composite | alg says ‘n is prime’ m times in succession) ≤<br />
lnn−2+2 m+1<br />
<strong>and</strong> not<br />
Prob( alg says ‘n is prime’ m times in succession | n odd composite) ≤ 2 −m<br />
In practice, one would run the test about 50 to 100 times which would reduce the probability of error to<br />
something like 0.157×10 −12 or 0.139×10 −27 .<br />
We present next another primality test algorithm which is faster in practice.<br />
Miller-Rabin Primality Test<br />
- given: n an odd integer<br />
- computes: whether n is prime (probable) or composite (sure)<br />
Algorithm:<br />
1. write n−1 = 2 k m, m odd<br />
2. choose a r<strong>and</strong>om integer a,1 ≤ a ≤ n−1<br />
3. b ← a m mod n<br />
4. if b ≡ 1 (mod n) then<br />
5. return (“n is prime”)<br />
6. for i from 0 to k −1 do<br />
7. if b ≡ −1 (mod n) then<br />
8. return (“n is prime”)<br />
9. else<br />
10. b ← b 2 mod n<br />
11. return (“n is composite”)<br />
Complexity: O((logn) 3 )<br />
Even if the order of complexity is the same, in practice, it performs better than Solovay-Strassen algorithm.<br />
Theorem 9.12. The Miller-Rabin algorithm is a yes-biased Monte Carlo algorithm for Composites with<br />
probability of error 1/4.<br />
Proof. (for yes-biased) Assume n is prime but the algorithm answers ‘n is composite’. So, a m ≢ 1 (mod n)<br />
<strong>and</strong> also a 2im ≢ −1 (mod n), for all 0 ≤ i ≤ k − 1. As n is prime, by Fermat’s theorem we have a 2km ≡ 1<br />
(mod n). Hence a 2k−1m is a square root of 1 modulo n, so it is congruent to one of ±1. Thus, a 2k−1m ≡ 1<br />
(mod n) (as it is not with −1; the only square roots of 1 modulo n are ±1) so again we have a square root of 1<br />
modulo n. Continuing like this, we finally get that a m ≡ 1 (mod n), a contradiction.<br />
□<br />
9.9 Attacks on RSA<br />
A first obvious attack is to factor n. Another possible attack is to find φ(n). This is no easier than factoring.<br />
Indeed, if n <strong>and</strong> φ(n) are known, then we have n = pq, φ(n) = (p−1)(q−1) <strong>and</strong> so p 2 −(n−φ(n)+1)p+n = 0<br />
which gives p <strong>and</strong> the factorization of n.<br />
Example 9.13. If n = 84773093 <strong>and</strong> φ(n) = 84754668 was somehow discovered, then<br />
p 2 −18426p+84773093= 0<br />
which has the roots 9539 <strong>and</strong> 8887. These are the factors of n.<br />
□<br />
Wediscussinthissubsectionsomeofthe mostimportantattacksagainstRSAexceptforfactoringalgorithms<br />
which are discussed in a separate section.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 63<br />
9.9.1 Decryption exponent<br />
We shall showthat anyalgorithm to compute the decryptionexponent canbe used as an oraclein a probabilistic<br />
algorithm for factoring n. This means that computing the decryption exponent is no easier than factoring. In<br />
particular, it means that if a is revealed, then n is also compromised. Therefore, in such a case, Bob has to<br />
choose both new <strong>and</strong> not only the decryption exponent.<br />
The idea is as follows. If we know a non-trivial squareroot of 1 modulo n, then we can factor n in polynomial<br />
time. Let us see how. The square roots of 1 modulo n = pq are x with x 2 ≡ 1 (mod n). This is equivalent with<br />
x 2 ≡ 1 (mod p) <strong>and</strong> x 2 ≡ 1 (mod q), which, in turn, is equivalent with x ≡ ±1 (mod p) <strong>and</strong> x ≡ ±1 (mod q).<br />
Thus, there are four square roots of 1 modulo n; two are trivial, ±1 (mod n), <strong>and</strong> two are non-trivial, that is,<br />
the other two (additive inverses of each other). (In general, they can be found using the Chinese Remainder<br />
Theorem.)<br />
Assume now x is a non-trivial square root of n = pq. Then n | (x − 1)(x + 1) but n ∤ (x ± 1). Therefore<br />
gcd(x+1,n) is either p or q; similarly for gcd(x−1,n). Notice that gcd can be computed easily.<br />
Example 9.14. Assume n = 403 = 13×31. The four square roots of 1 modulo 403 are 1, 92, 311, <strong>and</strong> 402.<br />
The square root 92 is the solution of the system<br />
{<br />
x ≡ 1 (mod 13)<br />
x ≡ −1 (mod 31).<br />
<strong>and</strong> the other nontrivial root, 311, is the solution of<br />
{ x ≡ 1 (mod 31)<br />
x ≡ −1 (mod 13).<br />
Now, assuming we know the root 92, we compute gcd(93,403) = 31 or gcd(91,403) = 13.<br />
□<br />
Factoring algorithm using an oracle for decryption exponent<br />
- given: n = pq product of two odd (unknown) primes <strong>and</strong> a,b decryption/encryption exponents<br />
- computes: p <strong>and</strong> q (probable)<br />
Algorithm:<br />
1. write ab−1 = 2 s r,r odd<br />
2. choose r<strong>and</strong>om w,1 ≤ w ≤ n−1<br />
3. x ← gcd(w,n)<br />
4. if 1 < x < n then<br />
5. return ‘success: x,n/x’<br />
6. v ← w r mod n<br />
7. if v ≡ 1 (mod n) then<br />
8. return ‘failure’<br />
9. while v ≢ 1 (mod n) do<br />
10. v 0 = v<br />
11. v = v 2 mod n<br />
12. if v 0 ≡ −1 (mod n) then<br />
13. return ‘failure’<br />
14. else return ‘success: x = gcd(v 0 +1,n),n/x’<br />
If we are lucky to find a w which is a multiple of p or q, then we are done in step 5. If not, then w is<br />
relatively prime to n <strong>and</strong> we compute w r ,w 2r ,w 4r ,..., by repeated squaring until w 2tr ≡ 1 (mod n). Since<br />
ab−1 = 2 s r ≡ 0 (mod φ(n)), Euler’s thm gives w 2sr ≡ 1 (mod n) <strong>and</strong> hence the while loop terminates after at<br />
most s iterations. At the end of the loop we have found v 0 such that v 2 0 ≡ 1 (mod n) but v 0 ≢ 1 (mod n). If<br />
v 0 ≡ −1 (mod n), then it gives nothing new <strong>and</strong> the algorithm fails. If not, then v 0 is a nontrivial square root<br />
of 1 modulo n <strong>and</strong> we can factor n as above.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 64<br />
Example 9.15. Suppose n = 89855713, b = 34986517, <strong>and</strong> a = 82330933. Assume also w = 5. We compute<br />
ab−1 = 2 3 ×360059073378795.<br />
We have then<br />
<strong>and</strong> it happens that<br />
Thus, the algorithm will return the value<br />
w r mod n = 85877701<br />
85877701 2 ≡ 1 (mod n).<br />
x = gcd(85877702,n)= 9103.<br />
The other factor of n is n/9103 = 9871.<br />
It can be shown that the probability of success is at least 1/2.<br />
□<br />
9.9.2 Wiener’s low decryption exponent attack<br />
This attack works in the case when<br />
3a < n 1/4 <strong>and</strong> q < p < 2q.<br />
This means, if n has l bits in binary, then a has fewer than l/4−1 bits <strong>and</strong> p <strong>and</strong> q are not too far apart.<br />
Notice that Bob might be tempted to choose a small decryption exponent in order to speed up decryption.<br />
If he chooses a as above, then he saves 75% of the time needed. We prove next that such choices should be<br />
avoided.<br />
Since ab ≡ 1 (mod φ(n)), there is t such that<br />
We have then<br />
<strong>and</strong><br />
ab−tφ(n) = 1.<br />
0 < n−φ(n) = p+q −1 < 2q +q −1 < 3q < 3 √ n<br />
∣ ∣∣∣ b<br />
n − t ∣ ∣ ∣∣∣ a∣ = ba−tn<br />
∣∣∣ an ∣ = 1+t(φ(n)−n)<br />
an ∣ < 3t√ n<br />
an = 3t<br />
a √ n .<br />
Since t < a (because b < φ(n)), we have 3t < 3a < n 1/4 <strong>and</strong> so<br />
b<br />
∣n − t a∣ < 1<br />
an < 1<br />
1/4 3a 2.<br />
Therefore, the fraction t/a is a very close approximation of b/n. We use now the theory of continued fractions<br />
<strong>and</strong> deduce that t/a must be one of the convergents in the continued fraction expansion of b/n (see below).<br />
A (finite) continued fraction is a tuple [q 1 ,q 2 ,...,q m ] of non-negative integers which is a shorth<strong>and</strong> for<br />
q 1 +<br />
1<br />
q 2 +<br />
1<br />
q 3+···+ 1<br />
qm<br />
It is not difficult to see that if gcd(a,b) = 1, then a/b can be written as a continued fraction using the quotients<br />
in the Euclidean algorithm. We shall give only an example.<br />
Example 9.16. Consider the fraction 34/99. In the Euclidean algorithm we have<br />
34 = 0×99+34<br />
99 = 2×34+31<br />
34 = 1×31+3<br />
31 = 10×3+1<br />
3 = 3×1.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 65<br />
The continued fraction expansion will be [0,2,1,10,3], i.e.,<br />
34<br />
99 = 0+ 1<br />
2+<br />
1<br />
1+ 1<br />
10+ 1 3<br />
For the continued fraction [q 1 ,...,q m ], the continued fractions [q 1 ,...,q j ], 1 ≤ j ≤ m, are called its convergents.<br />
Example 9.17. The convergents of the continued fraction in the example above are<br />
[0] = 0<br />
[0,2] = 1/2<br />
[0,2,1] = 1/3<br />
[0,2,1,10] = 11/32<br />
[0,2,1,10,3] = 34/99.<br />
For our attack we shall use the following result from the theory of continued fractions.<br />
Lemma 9.18. If gcd(a,b) = gcd(c,d) = 1 <strong>and</strong><br />
∣ a b − c ∣ < 1<br />
d 2d 2,<br />
then c/d is one of the convergents of the continued fraction expansion of a/b.<br />
This lemma gives us that the unknown fraction t/a must be one of the convergents of the continued fraction<br />
expansion of b/n; notice that b/n is publicly known. All we need to do is to test each convergent to see if it is<br />
the right one.<br />
Wiener’s algorithm<br />
- given: n = pq product of two odd (unknown) primes<br />
- computes: p <strong>and</strong> q if the conditions for Wiener’s algorithm are satisfied<br />
Algorithm:<br />
1. (q 1 ,q 2 ,...,q m ) ← EuclideanAlg(n,b)<br />
2. c 0 ← 1<br />
3. c 1 ← q 1<br />
4. d 0 ← 0<br />
5. d 1 ← 1<br />
6. j ← 1<br />
7. while j ≤ m do<br />
8. n ′ ← (d j b−1)/c j [n ′ = φ(n) if c j /d j is the right convergent]<br />
9. if n ′ is an integer then<br />
10. let p <strong>and</strong> q be the roots of the equation<br />
11. x 2 −(n−n ′ +1)x+n = 0<br />
12. if p <strong>and</strong> q are positive integers less than n then<br />
13. return (p,q)<br />
14. j ← j +1<br />
15. c j ← q j c j−1 +c j−2<br />
16. d j ← q j d j−1 +d j−2<br />
17. return ‘failure’<br />
.<br />
□<br />
□
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 66<br />
Example 9.19. Suppose n = 160523347 <strong>and</strong> b = 60728973. The continued fraction expansion of b/n is<br />
[0,2,1,1,1,4,12,102,1,1,2,3,2,2,36].<br />
The first few convergents are<br />
0, 1 2 , 1 3 , 2 5 , 3 8 , 14<br />
37 .<br />
It can be verified that the convergent which produces a factorization is 14/37 which yields<br />
If we now solve the equation<br />
n ′ = 37×60728973−1<br />
14<br />
= 160498000.<br />
x 2 −25348x+160523347= 0,<br />
then we find the roots 12347 <strong>and</strong> 13001. We have then the factorization<br />
n = 12347×13001.<br />
Notice that for the modulus n = 160523347, Wiener’s algorithm will work for<br />
9.9.3 Partial information about plaintext bits<br />
a < 1 3 n1/4 ≈ 37.52.<br />
So far we considered total break of the system. We consider here a more modest goal the adversary might<br />
have. He might want to find out only some partial information about the plaintext x revealed by the ciphertext<br />
y = e K (x). One example of such information is the Jacobi symbol<br />
( ( ) b ( x x y<br />
= =<br />
n)<br />
n n)<br />
which can be computed without knowing x. We consider in this subsection some other types of information<br />
about the plaintext, such as: {<br />
0, if x is even<br />
- the low order bit of plaintext: parity(y) =<br />
1, if x is odd<br />
{<br />
0, if 0 ≤ x < n/2<br />
- in which half of n is x; half(y) =<br />
1, if n/2 < x ≤ n−1<br />
We shall prove in this section that computing parity or half is polynomially equivalent with determining the<br />
plaintext.<br />
First we notice that parity <strong>and</strong> half are polynomially equivalent. This holds because<br />
- half(y) = parity(y ×e K (2) mod n)<br />
- parity(y) = half(y ×e K (2 −1 ) mod n)<br />
Next we give an algorithm which computes the plaintext in polynomial time, given an oracle for half.<br />
□
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 67<br />
RSA decryption algorithm using an oracle for half<br />
- given: a cipher text y = e K (x)<br />
- computes: x using half<br />
Algorithm:<br />
1. k ← ⌊log 2 n⌋<br />
2. for i from 0 to k do<br />
3. h i ← half(y)<br />
4. y ← (y ×e K (2)) mod n<br />
5. lo ← 0<br />
6. hi ← n<br />
7. for i from 0 to k do<br />
8. mid ← (hi+lo)/2<br />
9. if h i = 1 then lo ← mid<br />
10. else hi ← mid<br />
11. return (⌊hi⌋)<br />
We notice that the RSA encryption function satisfies the following multiplicative property<br />
e K (x 1 x 2 ) = e K (x 1 )e K (x 2 ).<br />
Therefore, in the ith iteration of the first loop, we have<br />
h i = half(y ×(e K (2)) i ) = half(e K (x×2 i )).<br />
We observe that [<br />
half(e K (x)) = 0 iff x ∈ 0, n )<br />
[ 2<br />
half(e K (2x)) = 0 iff x ∈ 0, n ) [ n<br />
∪<br />
4 2 , 3n )<br />
[ 4<br />
half(e K (4x)) = 0 iff x ∈ 0, n ) [ n<br />
∪<br />
8 4 , 3n ) [ n<br />
∪<br />
8 2 , 5n ) [ 3n<br />
∪<br />
8 4 , 7n )<br />
8<br />
<strong>and</strong> so on. Hence we find x by a binary technique.<br />
Example 9.20. Assume n = 1457, b = 779, <strong>and</strong> y = 722. The search proceeds as below; the plaintext is<br />
x = ⌊999.55⌋= 999.<br />
i h i lo mid hi<br />
0 1 0.00 728.50 1457.00<br />
1 0 728.50 1092.75 1457.00<br />
2 1 728.50 910.62 1092.75<br />
3 0 910.62 1001.69 1092.75<br />
4 1 910.62 956.16 1001.69<br />
5 1 956.16 978.92 1001.69<br />
6 1 978.92 990.30 1001.69<br />
7 1 990.30 996.00 1001.69<br />
8 1 996.00 998.84 1001.69<br />
9 0 998.84 1000.26 1001.69<br />
10 0 998.84 999.55 1000.26<br />
998.84 999.55 999.55<br />
□
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 68<br />
10 FACTORING ALGORITHMS<br />
- special purpose algorithms: running time depends on some properties of the number n to be factored<br />
- general purpose algorithms: running time depends on n only<br />
10.1 Trial division<br />
If n is composite, then it has a factor which is smaller than √ n. Trial division tries all odd integers up to √ n.<br />
In the worst case, O( √ n) divisions are performed.<br />
10.2 Pollard’s p−1 algorithm<br />
- for n such that n−1 has only small factors<br />
Pollard’s p − 1 algorithm for factoring integers<br />
- given: n <strong>and</strong> B two integers<br />
- computes: a non-trivial factor of n<br />
Algorithm:<br />
1. a = 2<br />
2. for j from 2 to B do<br />
3. a ← a j mod n<br />
4. d ← gcd(a−1,n)<br />
5. if 1 < d < n then return ‘success: d’<br />
6. else return ‘failure’<br />
Complexity: O(B) modular exponentiations each requiring O(logB) modular multiplications (square <strong>and</strong><br />
multiply) plus the gcd: altogether O(BlogB(logn) 2 +(logn) 3 )<br />
- for B large, this can be √ n<br />
- idea: assume p is a prime divisor of n such that q ≤ B for every prime power q which divides p−1<br />
- then (p−1) | B!<br />
- before step 4 (at the end of for in steps 2 <strong>and</strong> 3), we have a ≡ 2 B! (mod n) <strong>and</strong> therefore a ≡ 2 B! (mod p)<br />
- by Fermat’s theorem, 2 p−1 ≡ 1 (mod p)<br />
- hence a ≡ 1 (mod p)<br />
- thus p | (a−1) <strong>and</strong> so p | d = gcd(a−1,n) which implies that d is a non-trivial divisor of n<br />
Example 10.1. Assume n = 15770708441 <strong>and</strong> use B = 180<br />
- we find in step 3 that a = 11620221425 has gcd(a−1,n) = 135979=d<br />
- n = 135979×115979<br />
- the success is due to the fact that 135978 has only small prime factors:<br />
135978= 2×3×131×173<br />
- therefore, any B ≥ 173 is good □<br />
- primes for RSA<br />
- we have to choose n = pq, p,q primes such that p−1 <strong>and</strong> q −1 do not have only small factors<br />
- we can choose p <strong>and</strong> q such that p = 2p 1 +1, q = 2q 1 +1 with p 1 <strong>and</strong> q 1 primes also
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 69<br />
10.3 Pollard’s rho algorithm<br />
- idea: compute x 1 = 2,x 2 = x 2 1 +1 mod n,x 3 = x 2 2 +1 mod n,...<br />
- if 1 < gcd(x i −x j ,n) < n, then we found a divisor of n<br />
- that is: we want to find two x i ’s which are in different residue classes modulo n but in the same residue<br />
class modulo a divisor of n<br />
- improvement: we need not compute all gcd(x i −x j ,n);<br />
- if x i ≡ x j mod r, for some r | n, then also x i+k ≡ x j+k mod r<br />
Pollard’s rho algorithm for factoring integers<br />
- given: n an integer<br />
- computes: a non-trivial factor of n<br />
Algorithm:<br />
1. a = 2, b = 2<br />
2. for i = 1,2,3,... do<br />
3. compute a = a 2 +1 mod n, b = b 2 +1 mod n, b = b 2 +1 mod n<br />
4. compute d = gcd(a−b,n)<br />
5. if 1 < d < n then return ‘success: d’<br />
6. if d = n then return ‘failure’<br />
Complexity: assuming x 2 +1 behave like a r<strong>and</strong>om function, the expected running time is O(n 1/4 ) modular<br />
multiplications<br />
Example 10.2. Assume n = 455459; we have the values of a <strong>and</strong> b:<br />
a b d<br />
5 26 1<br />
26 2871 1<br />
677 179685 1<br />
2871 155260 1<br />
44380 416250 1<br />
179685 43670 1<br />
121634 164403 1<br />
155260 247944 1<br />
44567 68343 743<br />
- finally 455459=743×613 □<br />
The name of the algorithm come from the fact that, if we consider the sequence x 1 mod p,x 2 mod p,...,<br />
then at some point a value will be repeated, producing a graph whose shape resembles the letter ρ. For the<br />
above examples we have:<br />
10.4 R<strong>and</strong>om square factoring<br />
5 → 26 → 677 → 642 → 543 → 622 → 525 → 716 → 730 → 169<br />
↑<br />
↓<br />
200 ←− 399 ←− 576 ←− 667<br />
- idea: find x <strong>and</strong> y such that x 2 ≡ y 2 (mod n) but x ≢ ±y (mod n); then n | (x−y)(x+y) but n does not<br />
divide either of x−y <strong>and</strong> x+y; therefore gcd(x−y,n) is a non-trivial factor of n<br />
Dixon’s algorithm<br />
- given: n an integer
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 70<br />
- computes: a non-trivial factor of n<br />
Algorithm:<br />
1. choose a factor base B = {p 1 ,p 2 ,...,p t } (the first t primes)<br />
2. find t+1 pairs (a i ,b i ), 1 ≤ i ≤ t+1 (by r<strong>and</strong>om testing) such that<br />
(i) a 2 i ≡ b i (mod n)<br />
(ii) b i is p t -smooth (that is, b i = ∏ t<br />
j=1 peij j )<br />
3. find a subset of the b i ’s whose product is a perfect square<br />
- we need only the parity of exponents (we have factorizations of b i ’s)<br />
- associate v i = (v i1 ,...,v it ) with (e i1 ,...,e it ) where v ij = e ij mod 2<br />
- v 1 ,...,v t+1 must be linearly dependent over (Z 2 ) t ; say ∑ i∈T v i = 0<br />
- then ∏ i∈T b i is a perfect square<br />
- put x = ∏ i∈T a i, y = the square root of ∏ i∈T b i; then x 2 ≡ y 2 (mod n)<br />
4. if x ≢ ±y (mod n) then return ‘success: gcd(x−y,n)’<br />
5. else find other pairs of dependences <strong>and</strong> try again<br />
- in practice, there will be several dependencies<br />
- also we can find more than t+1 pairs, to be sure we have more dependences<br />
Example 10.3. Assume n = 15770708441 <strong>and</strong> choose B = {2,3,5,7,11,13}. Consider the congruences below<br />
with the corresponding vectors:<br />
8340934156 2 ≡ 3×7 (mod n) (0,1,0,1,0,0)<br />
12044942944 2 ≡ 2×7×13 (mod n) (1,0,0,1,0,1)<br />
2773700011 2 ≡ 2×3×13 (mod n) (1,1,0,0,0,1)<br />
The sum of the three vectorsis easily seen to be congruent with (0,0,0,0,0,0)modulo 2. Therefore, the product<br />
of the three congruences will give:<br />
(8340934156×12044942944×2773700011) 2 ≡ (2×3×7×13) 2 (mod n),<br />
that is<br />
9503435785 2 ≡ 546 2 (mod n).<br />
We compute then<br />
gcd(9503435785−546,15770708441)= 115979<br />
which is a factor of n = 135979×115979.<br />
□<br />
10.5 Quadratic sieve algorithm<br />
- idea: to obtain a i ’s such that b i ’s are small; when b i ’s are small, it is more likely that they are p t -smooth<br />
- let m = ⌊ √ n⌋<br />
- test a i of the form a i = m+x with b i = (x+m) 2 −n<br />
- notice that a 2 i ≡ b i (mod n)<br />
- also, when x is small, (x+m) 2 −n = x 2 +2mx+m 2 −n ≈ x 2 +2mx which is also small<br />
- trade-off: when t is large, we have better chances to have p t -smooth integers but we need to accumulate<br />
more congruences to obtain a dependence relation<br />
- optimal choice for t is approximately √<br />
e √ lnnlnlnn<br />
- for this we get the expected running time<br />
O<br />
(e )<br />
(1+o(1))√ lnnlnlnn
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 71<br />
10.6 The best current factoring algorithms<br />
quadratic sieve<br />
elliptic curve<br />
number field sieve<br />
( )<br />
O e (1+o(1))√ lnnlnlnn<br />
( )<br />
O e (1+o(1))√ 2lnplnlnp<br />
O<br />
(e (1.92+o(1))(lnn)1/3 (lnlnn) 2/3)<br />
- o(1) approaches 0 as n goes to infinity <strong>and</strong> p is the smallest prime factor of n<br />
- in the worst case, p ≈ √ n, <strong>and</strong> so asymptotically the quadratic sieve <strong>and</strong> elliptic curve do the same<br />
- in general quadratic sieve outperforms elliptic curve<br />
- elliptic curve is better for prime factors of different size<br />
- number field sieve has the best asymptotical running time<br />
- but (it seems) it is better for number of 130 decimal digits or more<br />
10.7 Factoring RSA moduli<br />
Here is a list of numbers which have been factored or for which prices are oferred:<br />
number digits prize factored<br />
RSA-100 100 Apr. 1991<br />
RSA-110 110 Apr. 1992<br />
RSA-120 120 Jun. 1993<br />
RSA-129 129 $100 Apr. 1994<br />
RSA-130 130 Apr. 10, 1996<br />
RSA-140 140 Feb. 2, 1999<br />
RSA-150 150 withdrawn open<br />
RSA-155 155 Aug. 22, 1999<br />
RSA-160 160 Apr. 1, 2003<br />
RSA-576 174 $10,000 Dec. 3, 2003<br />
RSA-640 193 $20,000 Nov.2, 2005<br />
RSA-704 212 $30,000 open<br />
RSA-768 232 $50,000 Dec.12, 2009<br />
RSA-896 270 $75,000 open<br />
RSA-1024 309 $100,000 open<br />
RSA-1536 463 $150,000 open<br />
RSA-2048 617 $200,000 open<br />
The two 87-digit factors of RSA-576 are:<br />
3980750 8642406493 7397125500 5503864911 9906436234 2526708406 3851895759 4638895726 1768583317<br />
4727721 4610743530 2536223071 9730482246 3291469530 2097116459 8521711305 2071125636 3590397527
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 72<br />
11 OTHER PUBLIC-KEY CRYPTOSYSTEMS<br />
We present in this section two other public-key ciphers: Rabin <strong>and</strong> ElGamal.<br />
11.1 Rabin cryptosystem<br />
The Rabin cryptosystem provides an example of a provably secure cryptosystem. Breaking the system is<br />
provably as difficult as factoring the modulus.<br />
The Rabin Cryptosystem<br />
P = C = Z ∗ n; n = pq, p,q primes, p ≡ 3 (mod 4), q ≡ 3 (mod 4)<br />
K = {(n,p,q) | n = pq}.<br />
public: n<br />
private: p,q<br />
encryption: e K (x) = x 2 mod n<br />
decryption: d K (y) = √ y mod n<br />
Note: the requirements p ≡ 3 (mod 4), q ≡ 3 (mod 4), <strong>and</strong> P = C = Z ∗ n can be omitted. They simplify the<br />
analysis.<br />
Onedrawbackofthe Rabincryptosystemisthat theencryptionfunction isnotaninjection<strong>and</strong>sodecryption<br />
cannot be done in an unambiguous fashion. Assume y is a valid ciphertext. The ambiguity comes from the fact<br />
that there are four square roots of y modulo n (see below). In general, Bob has no way to see which one of<br />
these is the correct plaintext unless it contains sufficient redundancy to eliminate the three wrong possibilities.<br />
Bob has to solve the equation<br />
x 2 ≡ y (mod n).<br />
This is equivalent to solving the two congruences<br />
z 2 ≡ y (mod p) <strong>and</strong> z 2 ≡ y (mod q).<br />
We can use Euler’s criterion to determine if y is a quadratic residue modulo p (<strong>and</strong> modulo q). If the encryption<br />
was done correctly, it will be. Euler’s criterion does not help finding the roots. The special form of p <strong>and</strong> q<br />
makes this simple. We have<br />
(±y (p+1)/4 ) 2 ≡ y (p+1)/2 (mod p)<br />
≡ y (p−1)/2 y (mod p)<br />
≡ y (mod p)<br />
The two square roots of y modulo p are ±y (p+1)/4 mod p. Similarly, the ones modulo q are ±y (q+1)/4 mod p.<br />
The four square roots of y modulo n are obtained using the Chinese remainder theorem.<br />
Example 11.1. Assume n = 77 = 7×11. The encryption function is<br />
<strong>and</strong> the decryption function is<br />
Suppose Bob has to decrypt y = 23. We have first<br />
<strong>and</strong><br />
e K (x) = x 2 mod 77<br />
d K (y) = √ y mod 77.<br />
23 (7+1)/4 ≡ 2 2 ≡ 4 (mod 7)<br />
23 (11+1)/4 ≡ 1 3 ≡ 1 (mod 11).<br />
Using Chinese remainder theorem, we compute the four square roots of 23 modulo 77 to be ±10,±32 mod 77.<br />
The four possible plaintexts are x = 10,32,45,67.<br />
□
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 73<br />
11.2 <strong>Security</strong> of Rabin cryptosystem<br />
We shall prove that a decryption oracle Rabin-Decrypt can be incorporated into a Las Vegas algorithm that<br />
factors the modulus n with probability at least 1/2. That means that any algorithm able to decrypt can be<br />
used to factor the modulus or, put otherwise, decrypting is no easier than factoring.<br />
Factoring a Rabin modulus, given a decryption oracle<br />
- given: n = pq, p,q primes congruent to 3 modulo 4<br />
- computes: p or q using Rabin-Decrypt<br />
Algorithm:<br />
1.<br />
2.<br />
choose a r<strong>and</strong>om r ∈ Z ∗ n<br />
y ← r 2 mod n<br />
3. x ← Rabin-Decrypt(y)<br />
4. if x 1 ≡ ±r (mod n) then<br />
5. return ‘failure’<br />
6. else<br />
7. p ← gcd(x+r,n)<br />
8. q ← n/p<br />
9. return ‘success: n = p×q’<br />
Notice that y is a valid ciphertext <strong>and</strong> so Rabin-Decrypt will return one out of four possible plaintexts.<br />
Those are in fact ±r (mod n) <strong>and</strong> ±ωr (mod n), where ω is one of the nontrivial square roots of 1 modulo n.<br />
For the latter ones we have x 2 ≡ r 2 (mod n) but x ≢ ±r (mod n) <strong>and</strong> we can factor n.<br />
It is clear that the probability of success is 1/2.<br />
We need to clarify a very important point. We just proved the Rabin cryptosystem secure against ciphertext<br />
onlyorchosenplaintextattacks. However,itiscompletelyinsecureagainstchosenciphertextattack. Thissimply<br />
because the above algorithm works very well with the decryption algorithm instead of the Rabin-Decrypt<br />
oracle. (The security proof says that a decryption oracle can be used to factor n <strong>and</strong> a chosen ciphertext attack<br />
assumes that a decryption oracle exists!) This problem can be avoided by adding redundancy to the plaintext;<br />
e.g., last 64 bits are repeated.<br />
11.3 ElGamal cryptosystem<br />
The ElGamal cryptosystem is based on DiscreteLogarithm problem which is believed to be difficult. The<br />
trapdoor one-way function is modular exponentiation.<br />
Discrete Logarithm Problem (discretelog)<br />
- given: p a prime, α ∈ Z ∗ p primitive, β ∈ Z∗ p<br />
- compute: log α β = a,0 ≤ a ≤ p−2 such that α a ≡ β (mod p)<br />
ElGamal Cryptosystem<br />
P = Z ∗ p; C = Z ∗ p ×Z ∗ p; p prime, α ∈ Z ∗ p primitive<br />
K = {(p,α,a,β) | β ≡ α a (mod p)}.<br />
public: p,α,β<br />
private: a<br />
encryption: e K (x,k) = (y 1 ,y 2 ) = (α k mod p,xβ k mod p)<br />
- k ∈ Z p−1 is a secret r<strong>and</strong>om number<br />
decryption: d K (y 1 ,y 2 ) = y 2 (y a 1 )−1 mod p
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 74<br />
Notice that the encryption operation is r<strong>and</strong>omized since the ciphertext depends on both the plaintext x <strong>and</strong><br />
on a r<strong>and</strong>om value k chosen by Alice. There will be many ciphertexts (precisely p−1) which are encryptions of<br />
the same plaintext. The plaintext x is said to be masked by β k . Bob can compute β k ≡ (α a ) k ≡ (α k ) a mod p<br />
because he knows a. Then he removes the mask dividing y 2 by β k <strong>and</strong> obtains x.<br />
Example 11.2. Assume p = 2579, α = 2, <strong>and</strong> a = 765. Then<br />
β = 2 765 mod 2579 = 949.<br />
Suppose Alice encrypts the message x = 1299 with the r<strong>and</strong>om k = 853. She computes<br />
<strong>and</strong><br />
Bob receives the ciphertext (435,2396) <strong>and</strong> computes<br />
y 1 = 2 853 mod 2579 = 435<br />
y 2 = 1299×949 853 mod 2579 = 2396.<br />
x = 2396×(435 765 ) −1 mod 2579 = 1299.<br />
Conjecture 11.3. <strong>Security</strong> of ElGamal cryptosystem is equivalent to the discretelog problem.<br />
Note: one way is obvious.<br />
□
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 75<br />
12 ALGORITHMS FOR DISCRETE LOGARITHM<br />
- exhaustive search<br />
- compute α 0 ,α 1 ,α 2 ,... until β is found<br />
- O(p) multiplications – inefficient for p large<br />
12.1 Shank’s baby-step giant-step algorithm<br />
- idea: if m = ⌈ √ p−1⌉ <strong>and</strong> a = jm+i, then<br />
α a = α jm α i which implies βα −i = α mj<br />
Shank’s algorithm for discretelog problem<br />
- given: p a prime, α ∈ Z ∗ p primitive, β ∈ Z ∗ p<br />
- computes: log α β<br />
Algorithm:<br />
1. put m = ⌈ √ p−1⌉<br />
2. compute α mj mod p, 0 ≤ j ≤ m−1 (giant steps)<br />
3. sort the pairs (j,α mj mod p) by the second component in a list L 1<br />
4. compute βα −i mod p, 0 ≤ i ≤ m−1 (baby steps)<br />
5. sort the pairs (i,βα −i mod p) by the second component in a list L 2<br />
6. find two pairs, (j,y) ∈ L 1 <strong>and</strong> (i,y) ∈ L 2 (same second component)<br />
7. return log α β = mj +i mod (p−1)<br />
Complexity – O( √ p) multiplications<br />
12.2 Pohlig-Hellman algorithm<br />
- idea: use the factorization of the order of α: p−1 = ∏ k<br />
- we compute a = log α β mod (p−1)<br />
- it is enough to<br />
i=1 pci i<br />
- compute a mod p ci<br />
i<br />
for all 1 ≤ i ≤ k <strong>and</strong><br />
- then use Chinese Remainder Theorem to get a mod (p−1)<br />
- computation of x = a mod q c , where q c | p−1 but q c+1 ∤ p−1<br />
∑c−1<br />
- write x in base q: x = a i q i , 0 ≤ a i ≤ q −1 for all i<br />
i=0<br />
- put also a = x+q c s, for some s<br />
- compute a 0<br />
- this is done using<br />
β (p−1)/q ≡ α (p−1)a0/q (mod p)<br />
- why this:<br />
- first β (p−1)/q ≡ α (p−1)(x+qc s)/q (mod p)<br />
- it suffices to show 1 q (p−1)(x+qc s) ≡ 1 q (p−1)a 0 (mod p−1)
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 76<br />
- this is true because:<br />
1<br />
q (p−1)(x+qc s)− 1 q (p−1)a 0 = 1 q (p−1)(x+qc s−a 0 )<br />
(c−1<br />
= 1 q (p−1) ∑ )<br />
a i q i +q c s<br />
= (p−1)<br />
i=1<br />
(c−1<br />
∑ )<br />
a i q i−1 +q c−1 s<br />
i=1<br />
≡ 0 (mod p−1)<br />
- how is a 0 computed<br />
- compute first β (p−1)/q mod p<br />
- if this is 1, then a 0 = 0<br />
- if not, then compute γ = α (p−1)/q mod p, γ 2 mod p,...<br />
until γ i ≡ β (p−1)/q (mod p)<br />
- put then a 0 = i<br />
- if c = 1, we are done, if not we continue with computing a 1<br />
- compute a 1 – similarly<br />
- get rid of a 0 : put β 1 = βα −a0<br />
- put also x 1 = log α β 1 mod q c<br />
∑c−1<br />
- we have x 1 = a i q i<br />
i=1<br />
- then β (p−1)/q2<br />
1 ≡ α (p−1)a1/q (mod p)<br />
- compute β (p−1)/q2<br />
1 mod p<br />
- find i such that γ i ≡ β (p−1)/q2<br />
1 (mod p)<br />
- this i will be a 1<br />
- we repeat this for finding a 2 ,a 3 ,...,<br />
Pohlig-Hellman algorithm<br />
- given: p prime, q prime, q c | p−1, q c+1 ∤ p−1, α primitive modulo p<br />
- computes: log α β mod q c<br />
Algorithm:<br />
1. compute γ i = α (p−1)i/q mod p, for 0 ≤ i ≤ q −1<br />
2. put β 0 = β<br />
3. for j = 0 to c−1 do<br />
4. compute δ = β (p−1)/qj+1<br />
j mod p<br />
5. find i such that δ = γ i<br />
6. a j = i<br />
7. β j+1 = β j α −ajqj mod p<br />
8. return a 0 ,a 1 ,...,a c−1<br />
- useful for p−1 having small prime factors only
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 77<br />
13 HASH FUNCTIONS AND MESSAGE AUTHENTICATION<br />
13.1 Data integrity <strong>and</strong> hash functions<br />
One of the goal of cryptography is data integrity. A (cryptographic) hash function can provide assurance of<br />
data integrity. A hash function is used to construct a short “fingerprint” of data; if the data is altered, then the<br />
fingerprint will no longer be valid. Even if the data is stored in an insecure place, its integrity can be checked<br />
by recomputing its fingerprint. We assume the fingerprint is stored in a secured place.<br />
If h is a hash function <strong>and</strong> x is some data, then the fingerprint is y = h(x) <strong>and</strong> is referred to as a message<br />
digest (or authentication tag). A message digest is usually a fairly short binary string; commonly 160 bits. A<br />
very important application of hash functions is in the context of digital signatures.<br />
It is also very useful to have keyed hash functions. They are used as message authentication codes or MACs.<br />
We assume Alice <strong>and</strong> Bob share a common secret key K which determines a hash function h K . For a message<br />
x, the fingerprint is y = h K (x) <strong>and</strong> can be computed by both Alice <strong>and</strong> Bob. Now both the message <strong>and</strong> the<br />
fingerprint (x,y) can be sent over an insecure channel from Alice to Bob. Bob will verify that y = h K (x).<br />
Of course, we need to assume that the hash functions, keyed or not, are “secure” in a sense to be made<br />
precise.<br />
A hash family is a 4-tuple (X,Y,K,H) where X is the set of messages, Y is the set of message digests, K is<br />
the set of keys, <strong>and</strong> for each K ∈ K, there is a hash function h K ∈ H, h K : X → Y. The set X can be finite<br />
or infinite but Y is always finite. It X is finite, then the hash function is called compression function <strong>and</strong> we<br />
shall assume |X| ≥ |Y|. A pair (x,y) is called a valid pair under the key K if h K (x) = y. The most important<br />
property of hash functions is that they have to prevent the constructions of certain valid pairs by the adversary.<br />
The set of functions from X to Y is denoted Y X . Clearly, if |X| = N <strong>and</strong> |Y| = M, then there are M N such<br />
functions; the family is then called an (N,M)-hash family.<br />
A simple example of a hash function is as follows. Divide the message into blocks of the same size <strong>and</strong><br />
then xor all of them. A variant is to rotate the intermediate hash value before xor-ing with the next block; see<br />
Fig 11.8.<br />
It is easy to see that none of these is a good hash function. The adversary can simply choose any message<br />
<strong>and</strong> then append a last block to it such that it has any given message digest.<br />
13.2 Properties of hash functions<br />
Assume h : X → Y is an unkeyed hash function. We define several problems related to the security of hash<br />
functions. The idea is that a valid pair (x,y) should be possible to construct only by choosing first x <strong>and</strong> then<br />
computing y = h(x) <strong>and</strong> not otherwise. In particular, it should not be possible to construct new valid pairs<br />
using old ones. Consider for instance the hash function h : Z n ×Z n → Z n , given by h(x,y) = ax+by mod n,
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 78<br />
for fixed a,b ∈ Z n . If the adversary has two valid pairs h(x 1 ,y 1 ) = z 1 <strong>and</strong> h(x 2 ,y 2 ) = z 2 , then he can compute<br />
further valid pairs as follows:<br />
h(rx 1 +sx 2 mod n,ry 1 +sy 2 mod n) = rz 1 +sz 2 mod n.<br />
Therefore, this hash function is not secure.<br />
We give next some problems which have to be computationally infeasible for secure hash functions.<br />
Preimage: Given h : X → Y <strong>and</strong> y ∈ Y, find x ∈ X such that h(x) = y.<br />
If the Preimage problem is difficult to solve for a hash function h, then h is called preimage resistant or<br />
one-way.<br />
Second Preimage: Given h : X → Y <strong>and</strong> x ∈ X, find x ′ ∈ X such that x ′ ≠ x <strong>and</strong> h(x ′ ) = h(x).<br />
If the Second Preimage problem is difficult to solve for a hash function h, then h is called second preimage<br />
resistant (or sometimes weak collision resistant).<br />
Collision: Given h : X → Y, find x,x ′ ∈ X such that x ′ ≠ x <strong>and</strong> h(x ′ ) = h(x).<br />
If the Collision problem is difficult to solve for a hash function h, then h is called collision resistant (or<br />
sometimes strong collision resistant).<br />
13.3 <strong>Security</strong> of hash functions<br />
In order to analyze the complexity of algorithms for the three problems in the previous section, we shall consider<br />
the following so called r<strong>and</strong>om oracle model which provides a mathematical model of an “ideal” hash function.<br />
In this model a hash function h : X → Y is chosen r<strong>and</strong>omly <strong>and</strong> we have only oracle access to h. That means<br />
we are not given an algorithm to compute values of h. The only way to do that is to question an oracle.<br />
We have therefore the following independence property: if h is r<strong>and</strong>omly chosen <strong>and</strong> X 0 ⊆ X such that the<br />
values h(x) were determined (by querying an oracle for h) iff x ∈ X 0 , then Prob(h(x) = y) = 1/M for all<br />
x ∈ X −X 0 <strong>and</strong> all y ∈ Y.<br />
The algorithms below are r<strong>and</strong>omized; i.e., they can make r<strong>and</strong>om choices during their execution. We shall<br />
call (ǫ,q)-algorithm a Las Vegas algorithm with average-case success probability ǫ which can make at most q<br />
queries to the oracle.<br />
FindPreimage(h,y,q)<br />
- given: h hash function, y message digest, q maximum number of oracle queries<br />
- computes: a preimage x or fail<br />
Algorithm:<br />
1. choose X 0 ⊆ X with |X 0 | = q<br />
2. for each x ∈ X 0 do<br />
3. if h(x) = y then return x<br />
4. return fail<br />
The average-case success complexity for the algorithm FindPreimage is<br />
ǫ = 1−(1− 1 M )q<br />
(which, for q small compared to m, is approximately q/M). To see this, let X 0 = {x 1 ,...,x q } <strong>and</strong> let E i be the<br />
event “h(x i ) = y.” From the independence property we have Prob(E i ) = 1/M <strong>and</strong> so<br />
Prob(E 1 ∨···∨E q ) = 1−(1− 1 M )q .
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 79<br />
FindSecondPreimage(h,x,q)<br />
- given: h hash function, x message, q maximum number of oracle queries<br />
- computes: a second preimage x 0 or fail<br />
Algorithm:<br />
1. y ← h(x)<br />
2. choose X 0 ⊆ X −{x} with |X 0 | = q −1<br />
3. for each x 0 ∈ X 0 do<br />
4. if h(x 0 ) = y then return x 0<br />
5. return fail<br />
The average-case success complexity for the algorithm FindSecondPreimage is<br />
ǫ = 1−(1− 1 M )q−1 .<br />
FindCollision(h,q)<br />
- given: h hash function, q maximum number of oracle queries<br />
- computes: a collision (x,x ′ ) or fail<br />
Algorithm:<br />
1. choose X 0 ⊆ X with |X 0 | = q<br />
2. for each x ∈ X 0 do<br />
3. y x ← h(x)<br />
4. if y x = y x ′ for some x ≠ x ′ then<br />
5. return (x,x ′ )<br />
6. return fail<br />
The average-case success complexity for the algorithm FindCollision is<br />
ǫ = 1−(1− 1 M )(1− 2 q −1<br />
)···(1−<br />
M M ).<br />
To see this, let X 0 = {x 1 ,...,x q } <strong>and</strong> let E i be the event “h(x i ) ∉ {h(x 1 ),...,h(x i−1 )}.” We have that<br />
Therefore,<br />
Prob(E i | E 1 ∧···∧E i−1 ) = M −i+1<br />
M .<br />
Prob(E 1 ∧···∧E q ) = ( M −1<br />
M<br />
which implies our result.<br />
As seen above, the probability to find a collision is<br />
)(M<br />
−2<br />
M<br />
1−(1− 1 M )(1− 2 q −1<br />
)···(1−<br />
M M ).<br />
−q +1<br />
)···(M ).<br />
M<br />
For x small, we have e −x = 1−x+ x2<br />
2!<br />
− x3<br />
3! ··· ≈ 1−x. Therefore, the probability of finding no collisions is<br />
approximately<br />
q−1<br />
∏<br />
(1− i q−1<br />
M ) ≈ ∏<br />
e − i M = e<br />
− ∑ q−1<br />
i=1 i M = e<br />
− q(q−1)<br />
2M .<br />
Therefore, the probability of finding at least one collision is<br />
i=1<br />
i=1<br />
ǫ ≈ 1−e −q(q−1) 2M .
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 80<br />
solving for q, we have<br />
<strong>and</strong> ignoring q gives<br />
For ǫ = 0.5 we get<br />
q 2 −q ≈ 2M ln 1<br />
1−ǫ<br />
q ≈<br />
√<br />
2M ln 1<br />
1−ǫ .<br />
q ≈ 1.17 √ M.<br />
This means that approximately √ M r<strong>and</strong>om elements of X yield a collision with probability 1/2. The birthday<br />
paradox is obtained for M = 365 which gives q = 22.3. So, the probability that 2 people among 23 r<strong>and</strong>omly<br />
chosen have the same birthday is 1/2 (This is no paradox but it is probably unexpected.) From this example,<br />
the attack which tries a high number of r<strong>and</strong>om choices attempting to find a collision is called birthday attack.<br />
Size of message digests. The birthday attack imposes a lower bound on the size of secure message digests.<br />
A 40-bit message digest would be very insecure since a collision would be found with probability 1/2 just over<br />
2 20 ≈ 10 6 r<strong>and</strong>om hashes. Minimum acceptable is 128 bits but 160-bit message digests are recommended.<br />
Comparison of security criteria. Solvingthe Collisionproblemis easierthan PreimageorSecondPreimage.<br />
The former required a number of hashes proportional to √ M while the latter two needed a number of hashes<br />
which is linear in M.<br />
13.4 Iterated hash functions<br />
So far we have considered hash functions with a finite domain (compressions functions). In practice we need<br />
hash functions with very large domains. We show next a technique which uses a compression function to build<br />
a hash function with infinite domain. The compression function is used repeatedly <strong>and</strong> the obtained function is<br />
called iterated hash function. The basic principle of this construction applies to most hash functions currently<br />
in use. We shall assume all messages are binary.<br />
Assume we have a compression function f : {0,1} n+b → {0,1} n <strong>and</strong> an input string x. We first pad x at<br />
the end such that its length becomes a multiple of b <strong>and</strong> then break the obtained string into blocks of length<br />
b each; the blocks are y 1 ,y 2 ,.... Then, each block y i is appended at the end the message digest from the<br />
previous compression (of length n) <strong>and</strong> the result is compressed again using the compression function. The last<br />
compression gives the message digest; see Fig 11.10. Usually, x is appended also its length at the end.<br />
It is essential to notice that if the compression function is secure then so is the iterated function. We show<br />
below aprecisesuchconstructionofan iteratedfunction forwhich it canbe provedthat the securityis preserved.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 81<br />
Assume compress : {0,1} m+t → {0,1} m is a collision resistant compression function. We shall use compress<br />
to construct a collision resistant hash function<br />
h :<br />
∞⋃<br />
i=m+t+1<br />
{0,1} i → {0,1} m .<br />
We shall assume t ≥ 2 but the construction can also be done for t = 1. The construction is shown in the<br />
algorithm below.<br />
Merkle-Damgård(x)<br />
- given: compress collision resistant function, x message<br />
- computes: h(x) message digest<br />
Algorithm:<br />
1. n ← |x|, k ← ⌈n/(t−1)⌉, d ← k(t−1)−n d is the length to be padded<br />
2. put x = x 1 ‖x 2 ‖···‖x k , with |x i | = t−1, 1 ≤ i ≤ k −1<br />
3. for i from 1 to k −1 do<br />
4. y i ← x i the first k −1 blocks<br />
5. y k ← x k ‖0 d the last block is padded<br />
6. y k+1 ← 0 t−1−|binary(d)| binary(d) length of padding is appended<br />
7. z 1 ← 0 m+1 ‖y 1 initial value<br />
8. g 1 ← compress(z 1 )<br />
9. for i from 1 to k do<br />
10. z i+1 ← g i ‖1‖y i+1 next string to be compressed<br />
11. g i+1 ← compress(z i+1 )<br />
12. h(x) ← g k+1 last compression gives the digest<br />
13. return h(x)<br />
It can be proved that if compress is collision resistant, then h is collision resistant. The idea is, given a<br />
collision for h, a collision for compress can be found in polynomial time.<br />
13.5 MD5<br />
– see textbook<br />
13.6 SHA-1<br />
– see textbook<br />
13.7 RIPEMD-160<br />
– see textbook<br />
13.8 Message authentication codes<br />
A common wayof constructing a MAC is to incorporateasecret keyinto an unkeyed hash function, by including<br />
it as a part of the message to be hashed. However, this should be done carefully. We show below some possible<br />
pitfalls.<br />
Let h : {0,1} m+t → {0,1} m be un unkeyed iterated hash function. Assume the key has m bits <strong>and</strong> is<br />
incorporated as the initial vector IV. An opponent can construct a valid MAC for a certain message as follows,<br />
assuming he knows a pair (x,h K (x)). For any t-bit string x ′ , the MAC for the message x‖x ′ is<br />
h K (x‖x ′ ) = compress(h K (x)‖x ′ ).
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 82<br />
We assumed above that messages are not padded; their length was assumed already a multiple of t. But even<br />
if messages are padded, a modification of the above attack can be carried out. Assume y = x‖pad(x). Let w be<br />
a bit string of length t <strong>and</strong> put<br />
x ′ = x‖pad(x)‖w.<br />
We have<br />
y ′ = x ′ ‖pad(x ′ ) = x‖pad(x)‖w‖pad(x ′ ).<br />
Also |y ′ | = r ′ t <strong>and</strong> |y| = rt where r ′ > r. When computing h K (x ′ ), we have<br />
z r+1 ← compress(h K (x)‖y r+1 )<br />
z r+2 ← compress(z r+1 ‖y r+2 )<br />
.<br />
z r ′ ← compress(z r′ −1‖y r ′.<br />
So, again the opponent can compute h K (x ′ ) without knowing K.<br />
13.9 CBC-MAC<br />
One of the most widely used MACs is based on CBC mode of DES with an initialization vector of zeros. The<br />
data are grouped into 64-bit blocks. If necessary, the final block is padded with zeros to the right to have 64<br />
bits. The code is produced as shown in Fig. 11.6.<br />
13.10 HMAC<br />
– see textbook<br />
13.11 Basic uses of encryption, hash functions, <strong>and</strong> MACs<br />
We show in Figs. 11.1, 11.4, <strong>and</strong> 11.5 <strong>and</strong> Tables 11.1, 11.2, <strong>and</strong> 11.3 the basic ways to use encryption, MACs,<br />
<strong>and</strong> hash functions in order to achieve goals such as confidentiality, authentication, <strong>and</strong> signature.<br />
The notations used are described below:<br />
- M – message (plaintext)<br />
- E – encryption algorithm<br />
- D – decryption algorithm<br />
- C – MAC algorithm<br />
- H – hash algorithm<br />
- K (or K 1 ,K 2 ) – secret key<br />
- KU a – A’s public key
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 83<br />
- KR a – A’s private key<br />
- KU b – B’s public key<br />
- KR b – B’s private key
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 84
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 85<br />
14 DIGITAL SIGNATURES AND AUTHENTICATION<br />
- a method of signing a message in electronic form<br />
- also called digital signatures<br />
14.1 Digital versus conventional signatures<br />
- attaching to the document<br />
- conventional signature – physically attached to a document<br />
- digital signature – is not physically attached<br />
- it must be somehow bound to the message<br />
- verifying<br />
- conventional – verified by comparison with others<br />
- digital – verified using a publicly known verification algorithm<br />
- to prevent forgeries<br />
- copying<br />
- conventional – a copy should be different from the original :-)<br />
- digital – a copy is perfectly identical<br />
- must prevent reuse – e.g., include the date in the message<br />
14.2 What is a signature scheme<br />
- two components<br />
- signing algorithm – secret – the message x is signed: sig(x)<br />
- verification algorithm – public – ver(x,y) – verifies the signature<br />
- signature scheme – (P,A,K,S,V)<br />
- P – messages<br />
- A – signatures<br />
- K – keys<br />
- S – signing algorithms<br />
- V – verification algorithms<br />
- for each K ∈ K, there are sig K ∈ S <strong>and</strong> ver K ∈ V<br />
- sig K : P → A – polynomial-time function, secret<br />
- ver K : P ×A → {true,false} – polynomial-time function, public<br />
- for every message x ∈ P <strong>and</strong> every signature y ∈ A:<br />
{<br />
true if y = sig<br />
ver K (x,y) =<br />
K (x)<br />
false if y ≠ sig K (x)<br />
- goal – computationally infeasible for Oscar to forge Bob’s signature on a message x<br />
- unconditional security – impossible<br />
- given sufficient time, Oscar can test all possible y’s using the public ver until the right one is found<br />
14.3 RSA signature scheme<br />
RSA signature scheme<br />
P = A = Z n ; n = pq, p,q primes
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 86<br />
K = {(n,p,q,a,b) | n = pq,p,q primes ,ab ≡ 1 (mod φ(n))}.<br />
public: n,b<br />
private: p,q,a<br />
signature: sig K (x) = x a mod n<br />
verification: ver K (x,y) = true iff x = y b mod n<br />
sig K = d K<br />
x = e K (y)<br />
- only Bob can sign messages since d K is secret<br />
- anyone can verify signatures since e K is public<br />
- forged signatures on r<strong>and</strong>om messages<br />
- Oscar can choose y <strong>and</strong> compute x = e K (y)<br />
- this means sig K (x) = y so y is a correct signature for x<br />
- problem: x is meaningless, with very high probability<br />
- combining signing <strong>and</strong> public-key encrypting<br />
- Alice wants to send a signed encrypted message x to Bob<br />
- Alice computes her signature: y = sig Alice (x)<br />
- Alice encrypts both x <strong>and</strong> y using Bob’s public key: z = e Bob (x,y)<br />
- Bob receives z <strong>and</strong> first decrypts it: d Bob (z)<br />
- Bob uses Alice’s public verification algorithm: ver Alice (x,y) = true<br />
- what if encryption comes first (before signing)<br />
- Alice computes: z = e Bob (x), y = sig Alice (z), <strong>and</strong> sends (z,y)<br />
- Bob computes: ver Alice (z,y) = true <strong>and</strong> x = d Bob (z) (in any order)<br />
- problem: Oscar can replace (z,y) by (z,y ′ = sig Oscar (z))<br />
- Oscar can sign z without decrypting<br />
- Bob will infer that the message x originated with Oscar<br />
14.4 ElGamal signature scheme<br />
ElGamal signature scheme<br />
P = Z ∗ p ; A = Z∗ p ×Z p−1; p prime, α ∈ Z ∗ p primitive<br />
K = {(p,α,a,β) | β ≡ α a (mod p)}.<br />
public: p,α,β<br />
private: a<br />
signature: sig K (x,k) = (γ,δ) = (α k mod p,(x−aγ)k −1 mod (p−1))<br />
- k ∈ Z ∗ p−1 is a secret r<strong>and</strong>om number<br />
verification: ver K (x,(γ,δ)) = true iff β γ γ δ ≡ α x (mod p)<br />
- correctness<br />
- we have by construction x ≡ aγ +kδ (mod p−1)<br />
- therefore β γ γ δ ≡ α aγ α kδ ≡ α x (mod p)<br />
- security<br />
- Oscar wants to compute a signature for a message x without knowing a<br />
- if he chooses γ, he has to compute δ = log γ α x β −γ<br />
- this is a discretelog problem<br />
- if he chooses δ, he has to compute γ from β γ γ δ ≡ α x (mod p)<br />
- no feasible solution known to this problem<br />
- it does not seem to be related to discretelog
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 87<br />
- open problem – it might be possible to compute γ <strong>and</strong> δ simultaneously such that (γ,δ) is a signature<br />
- (useless) forgeries<br />
- Oscar can choose γ,δ,x simultaneously<br />
- assume 0 ≤ i ≤ p−2, 0 ≤ j ≤ p−2, gcd(j,p−1) = 1<br />
- Oscar chooses:<br />
γ = α i β j mod p<br />
δ = −γj −1 mod (p−1)<br />
x = −γij −1 mod (p−1) (j −1 is computed modulo p−1)<br />
- then (γ,δ) is a valid signature for x<br />
- Oscar begins with a message previously signed by Bob: (γ,δ) = sig Bob (x)<br />
- Oscar can sign other messages<br />
- assume 0 ≤ h,i,j ≤ p−2, gcd(hγ −jδ,p−1) = 1<br />
- Oscar computes:<br />
λ = γ h α i β j mod p<br />
µ = δλ(hγ −jδ) −1 mod (p−1)<br />
x ′ = λ(hx+iδ)(hγ −jδ) −1 mod (p−1)<br />
- then (λ,µ) is a valid signature for x ′<br />
- these forgeries are no threats to the security as Oscar cannot sign a message of his own choosing<br />
- careless use of the scheme<br />
- k must not be revealed<br />
a = (x−kδ)γ −1 mod (p−1) – the system is broken<br />
- signing two messages with the same k<br />
- assume sig K (x 1 ) = (γ,δ 1 ) <strong>and</strong> sig K (x 2 ) = (γ,δ 2 )<br />
- then<br />
α x1−x2 ≡ γ δ1−δ2 (mod p)<br />
- so, using γ = α k ,<br />
- this gives<br />
- if d = gcd(δ 1 −δ 2 ,p−1) then d | (x 1 −x 2 )<br />
- put<br />
- we have then<br />
- this gives<br />
- there are d c<strong>and</strong>idates for k:<br />
α x1−x2 = α k(δ1−δ2) (mod p)<br />
x 1 −x 2 ≡ k(δ 1 −δ 2 ) (mod p−1)<br />
x ′ = x 1 −x 2<br />
d<br />
,δ ′ = δ 1 −δ 2<br />
,p ′ = p−1<br />
d d<br />
x ′ ≡ kδ ′ (mod p ′ )<br />
k = x ′ (δ ′ ) −1 mod p ′<br />
k = x ′ (δ ′ ) −1 +ip ′ mod (p−1),0 ≤ i ≤ d−1<br />
- the correct one comes from<br />
γ ≡ α k (mod p)
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 88<br />
14.5 Schnorr signature scheme<br />
- idea: using two primes p ≈ 2 1024 <strong>and</strong> q ≈ 2 160 , sign message digests of size log 2 q using signatures of size<br />
2log 2 q such that the computations are done in Z p<br />
Schnorr signature scheme<br />
P = {0,1} ∗ ; A = Z q ×Z q ; p prime, q prime, q|p−1<br />
K = {(p,q,α,a,β) | β ≡ α a (mod p)}; α ∈ Z ∗ p qth root of 1 modulo p<br />
- α = α (p−1)/q<br />
0 mod p, for α 0 primitive<br />
public: p,q,α,β<br />
private: a<br />
signature: sig K (x,k) = (γ,δ) = (h(x‖α k ),k +aγ mod q)<br />
- h : {0,1} ∗ → Z q is a secure hash function<br />
- 1 ≤ k ≤ q −1 is a secret r<strong>and</strong>om number<br />
verification: ver K (x,(γ,δ)) = true iff h(x‖α δ β −γ ) = γ<br />
- correctness<br />
- it is easy to check that α δ β −γ ≡ α k (mod p)<br />
14.6 Digital Signature Algorithm (DSA)<br />
Digital Signature Algorithm (DSA)<br />
P = {0,1} ∗ ; A = Z q ×Z q ; p L-bit prime (512 ≤ L ≤ 1024,L≡ 0 (mod 64)), q 160-bit prime, q|p−1<br />
K = {(p,q,α,a,β) | β ≡ α a (mod p)}; α ∈ Z ∗ p qth root of 1 modulo p<br />
- α = α (p−1)/q<br />
0 mod p, for α 0 primitive<br />
public: p,q,α,β<br />
private: a<br />
signature: sig K (x,k) = (γ,δ) = ((α k mod p) mod q,(SHA-1(x)+aγ)k −1 mod q)<br />
- 1 ≤ k ≤ q −1 is a secret r<strong>and</strong>om number<br />
- if γ = 0 or δ = 0 then a new r<strong>and</strong>om k is chosen<br />
verification: ver K (x,(γ,δ)) = true iff (α e1 β e2 mod p) mod q = γ<br />
e 1 = SHA-1(x)δ −1 mod q<br />
e 2 = γδ −1 mod q<br />
- correctness<br />
- start with ElGamal signature sig K (x,k) = (γ,δ) = (α k mod p,(x−aγ)k −1 mod (p−1))<br />
- change δ to δ = (x+aγ)k −1 mod (p−1)<br />
- verification becomes: α x β γ ≡ γ δ (mod p)<br />
- we can reduce all exponents modulo q: α x mod q β γ mod q ≡ γ δ mod q (mod p)<br />
- we can assume x is already reduced as it is a message digest<br />
- put δ = (x+aγ)k −1 mod q, γ ′ = γ mod q<br />
- verification is now: α x β γ′ ≡ γ δ (mod p)<br />
- raise both sides to δ −1 mod q: α xδ−1 β γ′ δ −1 mod p = γ<br />
- reduce modulo q: (α xδ−1 β γ′ δ −1 mod p) mod q = γ ′
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 89<br />
15 KEY DISTRIBUTION AND KEY AGREEMENT<br />
- secret-key cipher – needs a secure channel to exchange a secret key<br />
- public-key cipher – needs no secure channel to exchange a secret key<br />
- public-key ciphers – much slower than secret-key ciphers (1500 times)<br />
- for long messages<br />
- encryption is done using secret-key ciphers<br />
- the secret keys are exchanged using public-key ciphers<br />
- key distribution – one party chooses a secret key <strong>and</strong> transmits it to other parties<br />
- key agreement – a protocol where several parties establish together a secret key over a public channel<br />
- setup<br />
- insecure network of n users<br />
- we might have – trusted authority (TA)<br />
- verifies identities<br />
- chooses keys<br />
- transmits keys<br />
- adversary (Oscar)<br />
- passive – eavesdropping<br />
- active<br />
- alter messages<br />
- save messages for later use<br />
- masquerade as various users<br />
- examples of Oscar’s potential goals:<br />
- to fool two users U <strong>and</strong> V into accepting an invalid key<br />
- to make U believe that he has exchanged a key with V when he actually has not<br />
- goal – U <strong>and</strong> V should have at the end of the protocol a secret key, unknown to anyone else (except possibly<br />
the TA)<br />
15.1 Key distribution<br />
- if each pair of users independently exchanges a secret key (over a secure channel) then:<br />
- ( n<br />
2)<br />
secure channels needed<br />
- ( n<br />
2)<br />
keys needed<br />
- each user must store n−1 keys<br />
- with TA<br />
- for each pair of users U, V, it chooses <strong>and</strong> transmits a key<br />
- n secure channels needed – instead of ( )<br />
n<br />
2<br />
- ( n<br />
2)<br />
keys needed<br />
- each user must store n−1 keys<br />
K U,V = K V,U<br />
- still too many keys – of the order n 2<br />
- this is called the n 2 -problem<br />
- goal<br />
- to reduce the number of transmitted keys<br />
- to reduce the number of stored keys<br />
- still each pair of users should be able to compute independently the secret K U,V = K V,U
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 90<br />
15.2 Blom key distribution scheme<br />
Blom Key Distribution Scheme<br />
- given: p public prime <strong>and</strong>, for each user U, r U ∈ Z p , public<br />
1. TA chooses secret r<strong>and</strong>om a,b,c ∈ Z p<br />
2. TA forms the polynomial f(x,y) = a+b(x+y)+cxy mod p<br />
3. TA transmits to each U: a U = a+br U mod p <strong>and</strong> b U = b+cr U mod p<br />
4. U has g U (x) = a U +b U x = f(x,r U ) mod p<br />
5. U <strong>and</strong> V communicate by using the common secret key<br />
computed by U <strong>and</strong> V as<br />
K U,V = K V,U = f(r U ,r V ) = a+b(r U +r V )+cr U r V<br />
g U (r V ) = f(r U ,r V ) = g V (r U )<br />
mod p<br />
- TA transmits two elements to each user<br />
- n channels needed<br />
- 2n keys needed<br />
- each user must store two elements<br />
- security<br />
- unconditionally secure against any individual user<br />
- any coalition of two users can determine all keys<br />
- generalization<br />
- TA chooses f(x,y) = ∑ k k<br />
i=0∑<br />
j=0 a ijx i y j mod p, a ij = a ji<br />
- this scheme is secure against any coalition of size k<br />
- is completely broken by any coalition of size k +1<br />
15.3 Diffie-Hellman key distribution scheme<br />
Diffie-Hellman Key Distribution Scheme<br />
- given: p public prime <strong>and</strong> α ∈ Z ∗ p a public primitive element<br />
- TA has secret sig TA <strong>and</strong> public ver TA<br />
- U has secret a U ≤ p−2, public b U = α aU mod p <strong>and</strong> certificate<br />
C(U) = (ID(U),b U ,sig TA (ID(U),b U ))<br />
- everything is hashed before signed<br />
1. V computes K U,V = α aUaV mod p = b aV<br />
U<br />
2. U computes K V,U = α aUaV mod p = b aU<br />
V<br />
mod p<br />
mod p<br />
- security<br />
- the certificate cannot be altered because of the signature of the TA<br />
- problem: given b U <strong>and</strong> b V , can Oscar compute K U,V without knowing a U <strong>and</strong> a V <br />
Diffie-Hellman Problem (diffie-hellman)<br />
- given: p prime, α ∈ Z ∗ p primitive, β,γ ∈ Z∗ p<br />
- compute: β log α γ mod p (= γ log α β mod p)
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 91<br />
Theorem 15.1. Solving diffie-hellman is equivalent to breaking ElGamal cryptosystem.<br />
15.4 Kerberos<br />
- keys used for long time can be compromised<br />
- idea: new key every time a pair of users want to communicate (key freshness)<br />
- the users need not share secret keys<br />
- each user U will share a secret key K U with TA<br />
- Kerberos – secret-key based<br />
A session key in Kerberos<br />
- given: each user U shares a secret key K U with TA<br />
1. U ask TA for a session key to communicate with V<br />
2. TA chooses r<strong>and</strong>om session key K, timestamp T, <strong>and</strong> lifetime L<br />
3. TA sends to U<br />
m 1 = e KU (K,ID(V),T,L) m 2 = e KV (K,ID(U),T,L)<br />
4. U decrypts m 1 <strong>and</strong> computes K,T,L, <strong>and</strong> ID(V)<br />
5. U sends to V m 2 (from TA) <strong>and</strong> m 3 = e K (ID(U),T)<br />
6. V decrypts m 2 <strong>and</strong> then m 3 using K<br />
7. V verifies that the two T’s <strong>and</strong> ID(U)’s are the same<br />
8. V sends to U m 4 = e K (T +1)<br />
9. U decrypts m 4 <strong>and</strong> verifies T +1<br />
- m 1 <strong>and</strong> m 2 – for key security<br />
- m 3 <strong>and</strong> m 4 – for key confirmation<br />
- T <strong>and</strong> L – to prevent Oscar from storing old keys<br />
15.5 Diffie-Hellman key exchange scheme<br />
- without on-line key server<br />
Diffie-Hellman Key Exchange Scheme<br />
- given: p public prime <strong>and</strong> α ∈ Z ∗ p a public primitive element<br />
1. U chooses r<strong>and</strong>om a U ≤ p−2<br />
2. U sends α aU mod p to V<br />
3. V chooses r<strong>and</strong>om a V ≤ p−2<br />
4. V sends α aV mod p to U<br />
5. U computes K U,V = (α aV ) aU mod p = α aUaV mod p<br />
6. V computes K V,U = (α aU ) aV mod p = α aUaV mod p<br />
- Diffie-Hellman key exchange – the information transmitted:<br />
U<br />
α aU<br />
α aV<br />
−−−−−−−→<br />
←−−−−−−−<br />
V
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 92<br />
- intruder-in-the-middle attack<br />
U<br />
α aU<br />
−−−−−−−→<br />
α a′ V<br />
←−−−−−−− Oscar<br />
α a′ U<br />
α aV<br />
−−−−−−−→<br />
←−−−−−−− V<br />
- Oscar has two keys K Oscar,U = α aUa′ V mod p <strong>and</strong> KOscar,V = α a′ U aV mod p<br />
- Oscar can communicate with either of U <strong>and</strong> V<br />
- U <strong>and</strong> V cannot notice that they do not communicate with each other<br />
- U <strong>and</strong> V cannot communicate with each other as their keys are different<br />
15.6 Station-to-station protocol<br />
- idea: to avoid intruder-in-the-middle attack<br />
- the key-agreement protocol should authenticate also the identities of the parties<br />
- authenticated key agreement<br />
- uses certificates <strong>and</strong> signatures (of the TA <strong>and</strong> users)<br />
Station-to-station Protocol<br />
- given: p public prime <strong>and</strong> α ∈ Z ∗ p a public primitive element<br />
- TA has secret sig TA <strong>and</strong> public ver TA<br />
- each user U has secret sig U , public ver U , <strong>and</strong> a public certificate<br />
C(U) = (ID(U),ver U ,sig TA (ID(U),ver U ))<br />
1. U chooses a r<strong>and</strong>om a U ≤ p−2<br />
2. U computes <strong>and</strong> sends α aU mod p to V<br />
3. V chooses a r<strong>and</strong>om a V ≤ p−2<br />
4. V computes α aV mod p, K V,U = α aUaV mod p, <strong>and</strong> y V = sig V (α aV ,α aU )<br />
5. V sends (C(V),α aV mod p,y V ) to U<br />
6. U computes K U,V = α aUaV mod p<br />
7. U verifies y V using ver V <strong>and</strong> C(V) using ver TA<br />
8. U computes y U = sig U (α aU ,α aV ) <strong>and</strong> sends C(U),y U ) to V<br />
9. V verifies y U using ver U <strong>and</strong> C(U) using ver TA<br />
- the information is transmitted as follows (three-pass protocol):<br />
U<br />
α aU<br />
−−−−−−−−−−−−−−−−−−−−−−−→<br />
C(V),α aV ,sig V (α aV ,α aU )<br />
←−−−−−−−−−−−−−−−−−−−−−−−−<br />
C(U),sig U (α aU ,α aV )<br />
−−−−−−−−−−−−−−−−−−−−−−→<br />
V<br />
- attempt of intruder-in-the-middle attack:<br />
- Oscar cannot compute sig V (α a′ V ,α<br />
a U<br />
) to send to U<br />
- Oscar cannot compute sig U (α a′ U ,α<br />
a V<br />
) to send to V<br />
U<br />
α aU<br />
−−−−−−−−−−−−−−−−−−−−−→<br />
α a′ V ,sigV (α a′ V ,α<br />
a U<br />
) =<br />
←−−−−−−−−−−−−−−−−−−−−−−<br />
sig U (α aU ,α a′ V )<br />
−−−−−−−−−−−−−−−−−−−−−−→<br />
Oscar<br />
α a′ U<br />
−−−−−−−−−−−−−−−−−−−→<br />
α aV ,sig V (α aV ,α a′ U )<br />
←−−−−−−−−−−−−−−−−−−−−<br />
sig U (α a′ U ,α<br />
a V<br />
) =<br />
−−−−−−−−−−−−−−−−−−−→<br />
V
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 93<br />
15.7 MTI key agreement protocol<br />
- idea: without signatures of users<br />
(MTI = Matsumoto, Takashima, Imai)<br />
MTI Key Agreement Protocol<br />
- given: p public prime <strong>and</strong> α ∈ Z ∗ p a public primitive element<br />
- TA has secret sig TA <strong>and</strong> public ver TA<br />
- each user U has secret a U , public b U = α aU mod p, <strong>and</strong> public<br />
C(U) = (ID(U),b U ,sig TA (ID(U),b U ))<br />
1. U chooses a r<strong>and</strong>om r U ≤ p−2<br />
2. U computes s U = α rU mod p <strong>and</strong> sends (C(U),s U ) to V<br />
3. V chooses a r<strong>and</strong>om r V ≤ p−2<br />
4. V computes s V = α rV mod p <strong>and</strong> sends (C(V),s V ) to U<br />
5. U computes K U,V = s aU<br />
V brU V<br />
6. V computes K V,U = s aV<br />
U brV U<br />
mod p = αrUaV+rVaU mod<br />
mod p = αrUaV+rVaU mod<br />
n<br />
n<br />
- the information is transmitted as follows (two-pass protocol):<br />
U<br />
C(U), α rU<br />
−−−−−−−−−−−−→<br />
C(V), α rV<br />
←−−−−−−−−−−−− V<br />
- attempt of intruder-in-the-middle attack:<br />
U<br />
C(U),α rU<br />
−−−−−−−−−−−−→<br />
C(V),α r′ V<br />
←−−−−−−−−−−−− Oscar<br />
C(U),α r′ U<br />
−−−−−−−−−−−−→<br />
C(V),α rV<br />
←−−−−−−−−−−−− V<br />
- U <strong>and</strong> V will compute different keys<br />
- U computes K 1 = α rUaV+r′ V aU<br />
- V computes K 2 = α r′ U aV+rVaU<br />
- neither of these can be computed by Oscar<br />
15.8 Self-certifying keys<br />
- idea: without certificates<br />
- the public key <strong>and</strong> the identity of the owner authenticate each other<br />
Girault Key Agreement Protocol<br />
- given: p,q,p 1 ,q 1 secret primes (known to TA), p = 2p 1 +1, q = 2q 1 +1<br />
- public n = pq<br />
- secret α ∈ Z ∗ n, ord(α) = 2p 1 q 1<br />
- each U has ID(U)<br />
1. TA chooses a public RSA encryption exponent e<br />
2. TA computes the secret decryption exponent d = e −1 mod φ(n)<br />
3. (each) U chooses a secret a U <strong>and</strong> sends a U <strong>and</strong> b U = α aU mod n to TA<br />
4. TA computes p U = (b U −ID(U)) d mod n <strong>and</strong> sends it to U<br />
(p U is called U’s self-certifying public key)
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 94<br />
5. U chooses a r<strong>and</strong>om r U ≤ p−2 <strong>and</strong> computes s U = α rU mod p<br />
6. U sends (ID(U),p U ,s U ) to V<br />
7. V chooses a r<strong>and</strong>om r V ≤ p−2 <strong>and</strong> computes s V = α rV mod p<br />
8. V sends (ID(V),p V ,s V ) to U<br />
9. U computes K U,V = s aU<br />
V (pe V mod n = α +ID(V))rU rUaV+rVaU mod n<br />
10. V computes K V,U = s aV<br />
U (pe U mod n = α +ID(U))rV rUaV+rVaU mod n<br />
- notes<br />
- U needs TA to produce p U<br />
- b U = p e U +ID(U) mod n – can be computed from p U <strong>and</strong> ID(U) using only public information<br />
- comments<br />
- if Oscar produces some (faked) b ′ U without the cooperation of TA, then he cannot compute the keys<br />
- if Oscar tries intruder-in-the-middle<br />
- the information transmitted is:<br />
U<br />
ID(U), p U , s U = α rU mod n<br />
−−−−−−−−−−−−−−−−−−−−−−−−−−−−→<br />
ID(V), p V , s V = α rV mod n<br />
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−<br />
V<br />
- attempt of intruder-in-the-middle<br />
U<br />
ID(U), p U , α rU mod n<br />
−−−−−−−−−−−−−−−−−−−−−−−→<br />
ID(V), p ′ V , αr′ V mod n<br />
←−−−−−−−−−−−−−−−−−−−−−−−<br />
Oscar<br />
ID(U), p ′ U , αr′ U mod n<br />
−−−−−−−−−−−−−−−−−−−−−−−→<br />
ID(V), p V , α rV mod n<br />
←−−−−−−−−−−−−−−−−−−−−−−−<br />
V<br />
- Oscar cannot choose first b ′ V because he cannot compute then p′ V = (b′ V −ID(V))d mod n<br />
- so Oscar chooses r ′ V <strong>and</strong> p′ V ; Oscar can compute b′ V which will correspond to some a′ V ; i.e., b′ V = αa′ V<br />
mod n but Oscar cannot compute a ′ V<br />
- U computes K 1 = α rUa′ V +r′ V aU mod n<br />
- V computes K 2 = α r′ U aV+rVa′ U mod n<br />
- Oscar cannot compute either one<br />
- one possible attack – if TA does not ask for both a U <strong>and</strong> b U<br />
- U is required to give to TA both a U <strong>and</strong> b U<br />
- TA does not need a U ; p U can be computed without it<br />
- if users are not required to send both, attacks are possible<br />
- Oscar chooses a fake a ′ U<br />
- Oscar computes b ′ U = αa′ U mod n to TA<br />
(Oscar needs p ′ U = (b′ U −ID(U))d mod n)<br />
- Oscar computes b ′ Oscar = b′ U −ID(U)+ID(W)<br />
- Oscar sends ID(Oscar) <strong>and</strong> b ′ Oscar to TA<br />
- TA issues the public key p ′ Oscar = (b′ Oscar −ID(Oscar))d mod n<br />
- now p ′ Oscar = p′ U – so Oscar obtained it<br />
- Oscar, as the intruder-in-the-middle, can now compute the common key with V because he knows a ′ U<br />
- so, Oscar can decrypt messages sent by V to U
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 95<br />
16 CRYPTOGRAPHIC PROTOCOLS<br />
A cryptographic protocol constitutes an algorithm for communication between different parties, adversaries or<br />
not. The goal achieved is usually beyond the simple secrecy of message transmission. For instance, one party<br />
can sign a message without seeing it, a secret can be divided among several parties in such a way that the<br />
secret can be reconstructed only when joining the information of all parties (or a certain number of those), one<br />
party can convince another that he/she is in possession of some information without disclosing anything of the<br />
information itself. Protocols realizing such goals have changed our ideas about what is impossible when several<br />
parties, adversaries or not, are communicating with each other.<br />
16.1 Blind signatures<br />
- idea: Alice wants Bob to sing a message x without seeing it (Bob trusts Alice)<br />
- normally, Bob would compute his signature on x as x d mod n but now he cannot do it this way as he<br />
would see x<br />
Blind signature<br />
- given: RSA setup<br />
1. Alice chooses a r<strong>and</strong>om secret k,1 < k < n<br />
2. Alice “blinds” x by computing t = xk e mod n (t looks r<strong>and</strong>om to Bob)<br />
3. Bob signs t: t d ≡ (xk e ) d ≡ x d k ed ≡ x d k mod n<br />
4. Alice “unblinds” the signed x: s = t d k −1 ≡ x d mod n<br />
- analogy: Alice seals the message inside an envelope with a piece of carbon paper. Bob signs the outside of<br />
the envelope; the signature goes also on the message. Alice opens then the envelope <strong>and</strong> has Bob’ signature on<br />
the message.<br />
16.2 Secret sharing<br />
- idea: a secret key K is to be shared among w parties such that any t parties can discover K but any t −1<br />
cannot<br />
-example: the controlofnuclearweaponsinRussia; anytwopartiesamongthePresident, DefenceMinister,<br />
<strong>and</strong> Defence Ministry can control those but one only cannot<br />
- example: K opens a secret safe in a bank; any four tellers can open, one manager <strong>and</strong> two tellers can<br />
open, any two managers can open, <strong>and</strong> the president can open but nothing less can.<br />
We define a (t,w)-threshold scheme a method of sharing K among w parties such that any t can compute K,<br />
<strong>and</strong> any t−1 cannot. (A (4,w)-threshold scheme would solve the above safe problem.) We assume the parties<br />
are P i ,1 ≤ i ≤ w <strong>and</strong> that there is a trusted dealer D which gives any party its share.<br />
We give first a simple solution for the case t = w; this is called secret splitting.<br />
Secret splitting – (t,t)-threshold scheme<br />
- given: the secret key K; we assume K is a binary string of length l<br />
1. D chooses w−1 r<strong>and</strong>om binary strings s i ,1 ≤ i ≤ t−1, each of length l<br />
2. D gives s i to P i , 1 ≤ i ≤ t−1<br />
3. D gives P t the string s t = ⊕ t−1<br />
i=1 s i ⊕K<br />
- correctness:<br />
- all parties can join <strong>and</strong> xor their shares: ⊕ t<br />
i=1 s i = ⊕ t−1<br />
i=1 s i ⊕ ⊕ t−1<br />
i=1 s i ⊕K = K<br />
- if t−1 parties join their shares, then any l-bit string can be the value of the key<br />
Next we see a fully general scheme, due to Shamir.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 96<br />
Shamir’s (t,w)-threshold scheme<br />
- given: the secret key K as an integer number<br />
1. D chooses a prime number p ≥ w+1<br />
2. D chooses w different numbers x i ∈ Z ∗ p , 1 ≤ i ≤ w; these are public<br />
3. D chooses r<strong>and</strong>om secret numbers a i ∈ Z p , 1 ≤ i ≤ t−1 <strong>and</strong> forms the polynomial<br />
where a 0 = K<br />
4. D computes y i = a(x i ), 1 ≤ i ≤ w<br />
5. P i receives y i<br />
∑t−1<br />
a(x) = a j x j mod p,<br />
j=0<br />
Let us see that the above scheme works as intended. We show first that any t parties can find K. We<br />
consider, without loss of generality, the first t parties. Their shares allows them to solve the system<br />
⎛<br />
1 x 1 x 2 1 ··· x t−1 ⎞⎛<br />
⎞ ⎛ ⎞<br />
1 a 0 y 1<br />
1 x 2 x 2 2 ··· x t−1<br />
2<br />
a 1<br />
⎜<br />
⎝<br />
.<br />
.<br />
.<br />
⎟⎜<br />
⎟<br />
. ⎠⎝<br />
. ⎠ = y 2<br />
⎜ ⎟<br />
⎝ . ⎠<br />
1 x t x 2 t ··· x t−1<br />
t<br />
a t−1 y t<br />
The determinant of the system is (because the system has a V<strong>and</strong>ermonde matrix)<br />
∏<br />
(x i −x j ) mod p<br />
1≤i
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 97<br />
16.3 Zero-knowledge proofs<br />
In this section we focus the attention on the following challenging <strong>and</strong> fascinating problem. Assume that P<br />
(the Prover) knows some information which could be the proof of a long st<strong>and</strong>ing open problem, the prime<br />
factorization of an integer, a 3-coloring of a graph or simply a password or an identification number. P would<br />
like to convince V (the Verifier) that he is in possession of this information without revealing a bit of of the<br />
information. Moreover, we want that V not only does not learn something about the information; we want V<br />
to learn nothing whatsoever, that is, V is able to simulate the protocol without P.<br />
A simple protocol is the following.<br />
Zero-knowledge proof of factorization<br />
- given: an RSA integer n; P want to prove V he knows the factorization of n<br />
1. V chooses a r<strong>and</strong>om integer x <strong>and</strong> tells x 4 mod n to P<br />
2. P tells x 2 mod n to V<br />
V obtains no information because she can square x herself. On the other h<strong>and</strong>, extracting square roots<br />
is equivalent to factoring n. In step 2, P not only has to extract a square root of x 4 but the particular one<br />
among the four square roots which is a quadratic residue modulo n. Determining quadratic residuosity is also<br />
intractable without knowledge of the factors of n.<br />
Next we give a zero-knowledge proof of identity. A common problem with most identification techniques<br />
such as ID cards, credit cards, <strong>and</strong> computer passwords is that P proves his identity by revealing a word i(P)<br />
that is memorized or printed on a card. An adversary cooperating with a dishonest verifier can learn i(P) <strong>and</strong><br />
thus can later use it to pretend to be P.<br />
An obvious solution to this problem is to use a zero-knowledge proof to convince V that P knows i(P)<br />
without revealing a single bit about it.<br />
In the protocol below, the existence of a trusted agency is assumed. The only purpose of the agency is to<br />
publish a modulus n which equals the product of two large primes p <strong>and</strong> q but to keep the two primes secret.<br />
After publishing, the agency may cease to exist.<br />
Zero-knowledge proof of identity<br />
- given: a modulus n = p,q, p,q large secret primes, p ≡ 3 (mod 4),q ≡ 3 (mod 4)<br />
- P’s secret identification i(P) consists of k numbers c 1 ,c 2 ,...,c k , 1 ≤ c j < n<br />
- P’s public identification pi(P) consists of k numbers d 1 ,d 2 ,...,d k , 1 ≤ d j < n, such that each d j satisfies<br />
one of the congruences<br />
d j c 2 j ≡ ±1 (mod n)<br />
1. P chooses a r<strong>and</strong>om number r, computes ±r 2 mod n <strong>and</strong> sends one of them, call it x, to V<br />
2. V chooses a subset S ⊆ {1,2,...,k} <strong>and</strong> tells it to P<br />
3. P tells V the number<br />
y = r ∏ j∈Sc j (mod n)<br />
4. V verifies the condition<br />
x ≡ ±y 2 ∏ j∈Sd j<br />
Observe that the verification in step 4 should hold because<br />
y 2 ∏ j∈S<br />
d j ≡ r 2( ∏ ) 2 ∏<br />
c j d j ≡ ±r 2 ≡ ±x (mod n).<br />
j∈S<br />
j∈S<br />
The use of r is necessary because, otherwise, V would find out any c j by choosing S = {j}. The special form of<br />
p <strong>and</strong> q guarantees that the numbers d j can range over all integers with the Jacobi symbol +1 (mod n). This
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 98<br />
implies that V can be sure that the numbers c j exist. A tacit assumption is that any c j is relatively prime with<br />
n, otherwise n can be factorized <strong>and</strong> the whole world collapses.<br />
The only way for P to cheat is to guess S in advance; the probability to do that is 2 −k <strong>and</strong> becomes 2 −kt<br />
when the protocol is repeated t times.
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 99<br />
Contents<br />
1 INTRODUCTION 2<br />
1.1 Why do we need cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2<br />
1.2 Goals of cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2<br />
1.3 Definitions <strong>and</strong> notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3<br />
1.4 <strong>Security</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3<br />
1.5 Symmetric-key encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5<br />
1.6 Public-key encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5<br />
2 SEVERAL CLASSICAL SYSTEMS 8<br />
2.1 Modular arithmetic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8<br />
2.2 The shift cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8<br />
2.3 The substitution cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8<br />
2.4 The affine cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
2.5 The Vigenère cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10<br />
2.6 The Hill cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11<br />
2.7 The permutation cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
2.8 Stream ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
2.9 One-time pad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14<br />
3 PERFECT SECRECY 15<br />
3.1 Probability theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
3.2 Perfect secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
4 DATA ENCRYPTION STANDARD 18<br />
4.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
4.2 Feistel ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
4.3 Description of DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20<br />
4.4 Analysis of DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21<br />
4.5 Modes of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21<br />
4.6 Triple DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23<br />
5 LINEAR AND DIFFERENTIAL CRYPTANALYSIS 25<br />
5.1 Iterated ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25<br />
5.2 Substitution-permutation network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25<br />
5.3 Linear cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28<br />
5.3.1 The piling-up lemma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28<br />
5.4 Linear approximation of S-boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29<br />
5.5 A linear attack on SPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30<br />
5.6 Complexity of attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32<br />
5.7 Differential cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33<br />
5.8 Applications to DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36<br />
6 FINITE FIELDS 37<br />
6.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37<br />
6.2 Modular arithmetic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37<br />
6.3 Polynomial rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39<br />
6.4 The ring Z p [x] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39<br />
6.5 Finite fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40<br />
6.6 Motivation for using finite fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40<br />
6.7 Computational considerations in F 2 n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 100<br />
7 ADVANCED ENCRYPTION STANDARD 43<br />
7.1 The new st<strong>and</strong>ard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43<br />
7.2 Description of AES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43<br />
7.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49<br />
8 MORE NUMBER THEORY 50<br />
8.1 Complexity of arithmetic operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50<br />
8.2 The Chinese remainder theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50<br />
8.3 The theorems of Fermat <strong>and</strong> Euler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52<br />
8.4 Cyclic groups <strong>and</strong> primitive elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52<br />
8.5 Discrete logarithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54<br />
9 PUBLIC-KEY CRYPTOGRAPHY AND RSA 55<br />
9.1 The idea of public keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55<br />
9.2 The RSA cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56<br />
9.3 RSA security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56<br />
9.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57<br />
9.5 Fast modular exponentiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57<br />
9.6 Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58<br />
9.7 R<strong>and</strong>omized algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58<br />
9.8 Primality tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60<br />
9.9 Attacks on RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62<br />
9.9.1 Decryption exponent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63<br />
9.9.2 Wiener’s low decryption exponent attack . . . . . . . . . . . . . . . . . . . . . . . . . . . 64<br />
9.9.3 Partial information about plaintext bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66<br />
10 FACTORING ALGORITHMS 68<br />
10.1 Trial division . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68<br />
10.2 Pollard’s p−1 algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68<br />
10.3 Pollard’s rho algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69<br />
10.4 R<strong>and</strong>om square factoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69<br />
10.5 Quadratic sieve algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70<br />
10.6 The best current factoring algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71<br />
10.7 Factoring RSA moduli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71<br />
11 OTHER PUBLIC-KEY CRYPTOSYSTEMS 72<br />
11.1 Rabin cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72<br />
11.2 <strong>Security</strong> of Rabin cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73<br />
11.3 ElGamal cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73<br />
12 ALGORITHMS FOR DISCRETE LOGARITHM 75<br />
12.1 Shank’s baby-step giant-step algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75<br />
12.2 Pohlig-Hellman algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75<br />
13 HASH FUNCTIONS AND MESSAGE AUTHENTICATION 77<br />
13.1 Data integrity <strong>and</strong> hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77<br />
13.2 Properties of hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77<br />
13.3 <strong>Security</strong> of hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78<br />
13.4 Iterated hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80<br />
13.5 MD5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81<br />
13.6 SHA-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81<br />
13.7 RIPEMD-160 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81<br />
13.8 Message authentication codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81<br />
13.9 CBC-MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
CS4413a – <strong>Cryptography</strong> <strong>and</strong> <strong>Security</strong> – fall 2011 – c○ 2011 by Lucian Ilie 101<br />
13.10HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82<br />
13.11Basic uses of encryption, hash functions, <strong>and</strong> MACs . . . . . . . . . . . . . . . . . . . . . . . . . 82<br />
14 DIGITAL SIGNATURES AND AUTHENTICATION 85<br />
14.1 Digital versus conventional signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85<br />
14.2 What is a signature scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85<br />
14.3 RSA signature scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85<br />
14.4 ElGamal signature scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86<br />
14.5 Schnorr signature scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88<br />
14.6 Digital Signature Algorithm (DSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88<br />
15 KEY DISTRIBUTION AND KEY AGREEMENT 89<br />
15.1 Key distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89<br />
15.2 Blom key distribution scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90<br />
15.3 Diffie-Hellman key distribution scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90<br />
15.4 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91<br />
15.5 Diffie-Hellman key exchange scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91<br />
15.6 Station-to-station protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92<br />
15.7 MTI key agreement protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93<br />
15.8 Self-certifying keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93<br />
16 CRYPTOGRAPHIC PROTOCOLS 95<br />
16.1 Blind signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95<br />
16.2 Secret sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95<br />
16.3 Zero-knowledge proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97